MSN Plus Password Change Security Bypass Vulnerability

["m0fo" <editor () sec org il>]

Title: MSN Plus Password Change Security Bypass Vulnerability
Risk: Medium
Date: 07.04.2005
Publisher: m0fo (editor at sec.org.il) 
Source: http://sec.org.il/articles.php?a=187
Vendor:  <http://www.msgplus.net> http://www.msgplus.net
 
MSN Plus is additional application for the MSN Messenger. Msn Plus is adding
a lot of options to the standart MSN Messenger.
One of the options is to lock your MSN Messenger with password you choose,
this way could be bypass easily because the password can be changed without
providing the old password.
all the msn plus password's protection could be bypass easily because the
vendor build it on the same way.
all the MSN Messngers and MSN Plus are vulnerable.
 
NOTE: successful exploitation requires that a user has logged in recently.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/