DPEC Online Courseware

From: Joel Knight (jwknightat_private)
Date: Fri Jan 15 1999 - 20:45:24 PST

Next message: Marco d'Itri: "Can you really trust a path?"

Previous message: ga: "Re: NIS and NIS+ ephemeral ports"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--BOKacYhQ+x31HxR3
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

DPEC's (www.dpec.com) Online Courseware has a nasty bug in it that allows
anyone to change anyone elses password without knowing what their current=
=20
password is. This is NOT limited to normal user accounts, but also to the
admin account(s).

When a user logs in for the first time, they are required to change their
password. User jblow goes to the main login page and enters his username
and password. The courseware sees that he is a new user and gives jblow
a second login screen asking him to verify his password; this is where the
problem is. The courseware puts the following tag into the verification
page: <INPUT TYPE=3D"hidden" NAME=3D"firstpass">. This tag basically tells =
the
courseware "its ok, change the current password to what the user enters
and allow them to login regardless of current password (if any)".

Further inspection of the verification page will find the actual password
stored in an <INPUT> tag with the TYPE=3D"hidden" attribute. Simply by
saving a copy of this verification page to your hard drive and making the
proper modifications, you can gain (administrator) access to the
courseware.

DPEC was notified back in Oct/Nov 1998 and basically said that there was
no other way that this password verification could take place.
I will not bore the Bugtraq readers with my rant on that subject :P

AFAIK, in DPEC's latest release, this problem has not been fixed.

--=20
 Joel Knight                                  jwknightat_private

 PGP Key: hkp://keys.pgp.com/jwknightat_private
 KeyID 2048/38C24864
 Fingerprint 6D7D 1E4F 728B ACDA 6557  F3EC 85BB BA7C 38C2 4864


--BOKacYhQ+x31HxR3
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
MessageID: 7kuQIOVxtz4hPx7Rs3SZQgSVHelGou2d

iQA/AwUBNqAZYYW7unw4wkhkEQJB5wCg2LoNg5M8aPoAVHr0KByHMDQqw0UAoPwo
rLva3xZkUcI7fUSGNXziElad
=a95K
-----END PGP SIGNATURE-----

--BOKacYhQ+x31HxR3--

Next message: Marco d'Itri: "Can you really trust a path?"
Previous message: ga: "Re: NIS and NIS+ ephemeral ports"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:29:02 PDT