BugTraq
Back to list
|
Post reply
Re: Ecardis Password Reseting Vulnerability
Mar 03 2003 05:37PM
Trish Lynch (trish bsdunix net)
In-Reply-To: <20030227071424.25278.qmail (at) www.securityfocus (dot) com [email concealed]>
>Received: (qmail 11401 invoked from network); 27 Feb
2003 16:13:51 -0000
>Received: from outgoing2.securityfocus.com (HELO
outgoing.securityfocus.com) (205.206.231.26)
> by mail.securityfocus.com with SMTP; 27 Feb 2003
16:13:51 -0000
>Received: from lists.securityfocus.com
(lists.securityfocus.com [205.206.231.19])
>
by outgoing.securityfocus.com (Postfix) with QMQP
>
id EE0608F2AB; Thu, 27 Feb 2003 08:46:22 -0700 (MST)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed];
run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe:
<mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe:
<mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 26239 invoked from network); 27 Feb
2003 07:19:07 -0000
>Date: 27 Feb 2003 07:14:24 -0000
>Message-ID:
<20030227071424.25278.qmail (at) www.securityfocus (dot) com [email concealed]>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: Haluk AYDIN <haydin (at) biznet.com (dot) tr [email concealed]>
>To: bugtraq (at) securityfocus (dot) com [email concealed]
>Subject: Ecardis Password Reseting Vulnerability
>
>
>
>Hi,
>
>I don't know if someone has discovered this before but
Ecartis 1.0.0
>(former listar) contains a vulnerability that enables
an attacker to reset
>passwords of any user defined on the list server,
including the list
>admins.
>
>After logging on as a non-priviledged user, Ecartis
enables the user to
>change his/her password, but does not ask for the old
one. The first time
>I have seen this, I thought that the software relies
on the session
>cookie, but it seems this is not the case.
>
>The html page contains the username in the "hidden"
fields. After saving
>the page on disk, then replacing all "hidden" fields
with another username
>which is defined in the server, and reloading the page
again we can try
>our chance to change the password. Just fill in the
empty password fields
>with a password of your choice, and click "Change
Password": there you
>are... You have just reset the victim's password.
>
>I have not tested this on different versions, but I
guess it will work for
>all of them. I would appreciate any comments on the issue.
>
>Regards,
>
Thank you for bringing this to our attention, it was
fixed only a few hours after recieving this.
The FreeBSD port (which I maintain) has also been updated
Please use snapshot versions after 20030227, and make
sure the FreeBSD port is update as well.
-Trish Lynch - ecartis core team.
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
>Received: (qmail 11401 invoked from network); 27 Feb
2003 16:13:51 -0000
>Received: from outgoing2.securityfocus.com (HELO
outgoing.securityfocus.com) (205.206.231.26)
> by mail.securityfocus.com with SMTP; 27 Feb 2003
16:13:51 -0000
>Received: from lists.securityfocus.com
(lists.securityfocus.com [205.206.231.19])
>
by outgoing.securityfocus.com (Postfix) with QMQP
>
id EE0608F2AB; Thu, 27 Feb 2003 08:46:22 -0700 (MST)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed];
run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe:
<mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe:
<mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 26239 invoked from network); 27 Feb
2003 07:19:07 -0000
>Date: 27 Feb 2003 07:14:24 -0000
>Message-ID:
<20030227071424.25278.qmail (at) www.securityfocus (dot) com [email concealed]>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: Haluk AYDIN <haydin (at) biznet.com (dot) tr [email concealed]>
>To: bugtraq (at) securityfocus (dot) com [email concealed]
>Subject: Ecardis Password Reseting Vulnerability
>
>
>
>Hi,
>
>I don't know if someone has discovered this before but
Ecartis 1.0.0
>(former listar) contains a vulnerability that enables
an attacker to reset
>passwords of any user defined on the list server,
including the list
>admins.
>
>After logging on as a non-priviledged user, Ecartis
enables the user to
>change his/her password, but does not ask for the old
one. The first time
>I have seen this, I thought that the software relies
on the session
>cookie, but it seems this is not the case.
>
>The html page contains the username in the "hidden"
fields. After saving
>the page on disk, then replacing all "hidden" fields
with another username
>which is defined in the server, and reloading the page
again we can try
>our chance to change the password. Just fill in the
empty password fields
>with a password of your choice, and click "Change
Password": there you
>are... You have just reset the victim's password.
>
>I have not tested this on different versions, but I
guess it will work for
>all of them. I would appreciate any comments on the issue.
>
>Regards,
>
Thank you for bringing this to our attention, it was
fixed only a few hours after recieving this.
The FreeBSD port (which I maintain) has also been updated
Please use snapshot versions after 20030227, and make
sure the FreeBSD port is update as well.
-Trish Lynch - ecartis core team.
[ reply ]