MSN Plus Password Change Security Bypass Vulnerability

["m0fo" <editor () sec org il>]

MSN Plus Password Change Security Bypass Vulnerability
 
date: 05.11.2005
publisher: m0fo (editor at sec.org.il)
vendor: www.msgplus.net <http://www.msgplus.net/> 
 
Msn Plus! is additional aplication for MSN Messenger. This application
adding a lot of new options into the MSN Messenger so it will be easier to
use it. One of the application's option is to set a password witch lock the
application, lock the logs, etc. its easy to set password for this, but its
much easier to change it, while someone trying to change password that
already set, he doesnt need to fill in the old password, this may cause a
malicious user to take control over the application, maybe reading your
talks, locking your MSN, etc.
 
all versions of that MSN Plus! are vulnerable to this flow, my advice is not
to use it.
 
 <http://www.msgplus.net>  
 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/