BugTraq
Back to list
|
Post reply
Ecardis Password Reseting Vulnerability
Feb 27 2003 07:14AM
Haluk AYDIN (haydin biznet com tr)
Hi,
I don't know if someone has discovered this before but Ecartis 1.0.0
(former listar) contains a vulnerability that enables an attacker to reset
passwords of any user defined on the list server, including the list
admins.
After logging on as a non-priviledged user, Ecartis enables the user to
change his/her password, but does not ask for the old one. The first time
I have seen this, I thought that the software relies on the session
cookie, but it seems this is not the case.
The html page contains the username in the "hidden" fields. After saving
the page on disk, then replacing all "hidden" fields with another username
which is defined in the server, and reloading the page again we can try
our chance to change the password. Just fill in the empty password fields
with a password of your choice, and click "Change Password": there you
are... You have just reset the victim's password.
I have not tested this on different versions, but I guess it will work for
all of them. I would appreciate any comments on the issue.
Regards,
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Hi,
I don't know if someone has discovered this before but Ecartis 1.0.0
(former listar) contains a vulnerability that enables an attacker to reset
passwords of any user defined on the list server, including the list
admins.
After logging on as a non-priviledged user, Ecartis enables the user to
change his/her password, but does not ask for the old one. The first time
I have seen this, I thought that the software relies on the session
cookie, but it seems this is not the case.
The html page contains the username in the "hidden" fields. After saving
the page on disk, then replacing all "hidden" fields with another username
which is defined in the server, and reloading the page again we can try
our chance to change the password. Just fill in the empty password fields
with a password of your choice, and click "Change Password": there you
are... You have just reset the victim's password.
I have not tested this on different versions, but I guess it will work for
all of them. I would appreciate any comments on the issue.
Regards,
[ reply ]