ZH2003-4SA (security advisory): ASP-DEV Discussion Forum V2.0

Published: 12/07/2003

Released: 12/07/2003

Name: ASP-DEV Discussion Forum V2.0

Affected Systems: All versions

Issue: Remote attackers can obtain users information (including passwords)

Author: G00db0y (at) zone-h (dot) org [email concealed]

Description

***********

Zone-h Security Team has discovered a serious security flaw in all

versions of

ASP-DEV Discussion Forum "with many updated features, bug fixes and code

enhancements."

Details

*******

ASP-DEV Discussion Forum V2.0 is an ASP forum system that covers all the

needs for a forum.

It's possible to retrieve sensible users information. There is an

administrative

section for administrating this forum. This section is located here:

http://www.example.com/forum/admin/ (if forum is the installation dir of

the forum)

By default this page isn't restricted, so everyone can be the

administrator of this

forum. Everyone can see every password and every users information.

Solution:

*********

The vendor has been contacted and a patch is not yet produced

Suggestions:

************

Protect the admin directory.

G00db0y - www.zone-h.org admin

Original advisory here: http://www.zone-h.org/en/advisories/read/id=2685/

[ reply ]