--BOKacYhQ+x31HxR3 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable DPEC's (www.dpec.com) Online Courseware has a nasty bug in it that allows anyone to change anyone elses password without knowing what their current= =20 password is. This is NOT limited to normal user accounts, but also to the admin account(s). When a user logs in for the first time, they are required to change their password. User jblow goes to the main login page and enters his username and password. The courseware sees that he is a new user and gives jblow a second login screen asking him to verify his password; this is where the problem is. The courseware puts the following tag into the verification page: <INPUT TYPE=3D"hidden" NAME=3D"firstpass">. This tag basically tells = the courseware "its ok, change the current password to what the user enters and allow them to login regardless of current password (if any)". Further inspection of the verification page will find the actual password stored in an <INPUT> tag with the TYPE=3D"hidden" attribute. Simply by saving a copy of this verification page to your hard drive and making the proper modifications, you can gain (administrator) access to the courseware. DPEC was notified back in Oct/Nov 1998 and basically said that there was no other way that this password verification could take place. I will not bore the Bugtraq readers with my rant on that subject :P AFAIK, in DPEC's latest release, this problem has not been fixed. --=20 Joel Knight jwknightat_private PGP Key: hkp://keys.pgp.com/jwknightat_private KeyID 2048/38C24864 Fingerprint 6D7D 1E4F 728B ACDA 6557 F3EC 85BB BA7C 38C2 4864 --BOKacYhQ+x31HxR3 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 MessageID: 7kuQIOVxtz4hPx7Rs3SZQgSVHelGou2d iQA/AwUBNqAZYYW7unw4wkhkEQJB5wCg2LoNg5M8aPoAVHr0KByHMDQqw0UAoPwo rLva3xZkUcI7fUSGNXziElad =a95K -----END PGP SIGNATURE----- --BOKacYhQ+x31HxR3--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:29:02 PDT