('binary' encoding is not supported, stored as-is) Hi, I don't know if someone has discovered this before but Ecartis 1.0.0 (former listar) contains a vulnerability that enables an attacker to reset passwords of any user defined on the list server, including the list admins. After logging on as a non-priviledged user, Ecartis enables the user to change his/her password, but does not ask for the old one. The first time I have seen this, I thought that the software relies on the session cookie, but it seems this is not the case. The html page contains the username in the "hidden" fields. After saving the page on disk, then replacing all "hidden" fields with another username which is defined in the server, and reloading the page again we can try our chance to change the password. Just fill in the empty password fields with a password of your choice, and click "Change Password": there you are... You have just reset the victim's password. I have not tested this on different versions, but I guess it will work for all of them. I would appreciate any comments on the issue. Regards,
This archive was generated by hypermail 2b30 : Thu Feb 27 2003 - 08:50:44 PST