Problem: -------- The free surf-net ASP forum which is downloadable at http://www.surf-net.co.uk/asp/forum/forum_script.asp contains at least one major security hole which can be easily exploited by a malicious user. Problem was discovered during a website audit. Impact: ------- Anyone can become the administrator of the message board. Description: ------------ The forum sets a cookie 'userid' as soon as a user logs on (if the user prefers cookies). This cookie seems a representation of some kind of the real userid. When auditing, we first got a cookie with userid '2666664' (with real userid 3, registration page returns this number), and after we registered a second userid '3555552' (with real userid 4) it wasn't hard to guess that the admin user would have the userid '0888888' (thus real userid 1). After changing the local cookie and restarting Netscape it turned out we were right. After that we found and downloaded the sourcecode and discovered this at line 89 of common.inc: lngLoggedInUserID = CLng(Request.Cookies("Forum")("UserID") / 888888) Which ofcourse is not a very secure way of doing things ;-) Solution: --------- Author reacted within one day and fixed the problem. Fixed version 2.30 should be available at http://www.surf-net.co.uk/asp/forum/forum_script.asp. Mark Lastdrager -- Pine Internet BV :: tel. +31-70-3111010 :: fax. +31-70-3111011 PGP 92BB81D1 fingerprint 0059 7D7B C02B 38D2 A853 2785 8C87 3AF1 Today's excuse: Forced to support NT servers; sysadmins quit.
This archive was generated by hypermail 2b30 : Mon Aug 20 2001 - 13:53:03 PDT