ZH2003-4SA (security advisory): ASP-DEV Discussion Forum V2.0

From: G00db0y (G00db0y@zone-h.org)
Date: Sat Jul 12 2003 - 07:38:36 PDT

Next message: identat_private: "DoS - Polycom MGC 25 Control Port"

Previous message: G00db0y: "ZH2003-3SA (security advisory): Storefront sql injection: users info disclosure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) ZH2003-4SA (security advisory): ASP-DEV Discussion Forum V2.0 Published: 12/07/2003 Released: 12/07/2003 Name: ASP-DEV Discussion Forum V2.0 Affected Systems: All versions Issue: Remote attackers can obtain users information (including passwords) Author: G00db0y@zone-h.org Description *********** Zone-h Security Team has discovered a serious security flaw in all versions of ASP-DEV Discussion Forum "with many updated features, bug fixes and code enhancements." Details ******* ASP-DEV Discussion Forum V2.0 is an ASP forum system that covers all the needs for a forum. It's possible to retrieve sensible users information. There is an administrative section for administrating this forum. This section is located here: http://www.example.com/forum/admin/ (if forum is the installation dir of the forum) By default this page isn't restricted, so everyone can be the administrator of this forum. Everyone can see every password and every users information. Solution: ********* The vendor has been contacted and a patch is not yet produced Suggestions: ************ Protect the admin directory. G00db0y - www.zone-h.org admin Original advisory here: http://www.zone-h.org/en/advisories/read/id=2685/

Next message: identat_private: "DoS - Polycom MGC 25 Control Port"
Previous message: G00db0y: "ZH2003-3SA (security advisory): Storefront sql injection: users info disclosure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jul 12 2003 - 15:41:29 PDT