Insufficient Authorization vulnerability in Act

["MustLive" <mustlive () websecurity com ua>]

Hello list!

This is Insufficient Authorization vulnerability in Act. It is conference
software on Perl.

Besides Insufficient Authorization, there are a lot of other vulnerabilities
in Act.

-------------------------
Affected products:
-------------------------

Vulnerable are all versions of Act (they fixed this hole at July 27, 2013).
The developers don't use version numbers for their software.

-------------------------
Affected vendors:
-------------------------

Act - A Conference Toolkit
http://act.mongueurs.net

----------
Details:
----------

Insufficient Authorization (WASC-02):

http://site/edittalk?talk_id=1

Any authenticated user can edit arbitrary talks (by setting id). And also to
delete them (via edit function).

This vulnerability can be used to sabotage conference by deleting all talks.

------------
Timeline:
------------ 

2013.07.14 - informed organizers of YAPC::Europe 2013, on which site I've
found this and other holes. They ignored to fix this and all other holes at
their site (which they had for 10 years while use Act), arguing that
developers of Act should do that and they don't care about security of their
site.
2013.07.14 - informed Act developers. They hadn't answered.
2013.07.16 - announced at my site.
2013.07.27 - developers fixed this vulnerability (without answering and
thanking)
(https://github.com/book/Act/commit/e9c5257594f7eb69c4f935fb14fadb1bc79b46d7).
2013.08.29 - disclosed at my site (http://websecurity.com.ua/6657/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/