Re: Authentication flaw in Web Wiz forum

["Alexander" <pk95 () yandex ru>]

Hi all again!

This bug works only when password changes using "Forgotten your password?"
future.

The user code is changed when changing the password using "user profile".

Sorry for my mistake.


----- Original Message ----- 
From: "Alexander" <pk95 () yandex ru>
To: <full-disclosure () lists netsys com>
Cc: "Bruce Corkhill" <bruce () webwizguide info>
Sent: Wednesday, March 03, 2004 12:20 AM
Subject: Authentication flaw in Web Wiz forum


> Product:  Web Wiz forum 7.0-7.7a www.webwizforum.com
>
> Risk:          Medium
>
> Date:         02 March, 2004
>
> Autor:        Pig Killer and Michael ( www.SecurityLab.ru)
>
>
>
> When user log on forum, for his cookies identification forum using
User_code
> value from tblAutor table from underlying database, which doesn't change
> with changing of password. As a result, when user change password, he can
> register in the forum using old cookies. As a result, if users cookies was
> compromised (for example by XSS), then even password changing will doesn't
> protect his account from unauthorized using.
>
>
>
> The forum also allows logged in user to change the password without
entering
> the old one. Thus, having cookie, you can change the password without
> knowing the old one.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html