COMMAND

	DCForum easily guessable users passwords

SYSTEMS AFFECTED

	DCForum version 6.22

PROBLEM

	Shimi posted :
	

	When a user requests a new password for his account, a new  password  is
	generated  and  sent  to  the   requester   (anyone   that   knows   the
	username+email  information,  which  is  usually  available  in   \"user
	profile\").
	

	The problem is that the password is simply the  first  6  characters  of
	the user\'s SessionID, which is, of course, known to anybody  who  knows
	how to see a value in a cookie.
	

	Hence every user in the world can come  to  the  board,  request  a  new
	password for someone, and then  login  with  that  username  +  6  first
	characters of the SessionID from the cookie.
	

	 Update (06 February 2002)

	 ======

	

	When registering a user and not allowing him to  choose  a  password,  a
	password is generated by the same algorithm as the algorithm  used  when
	creating new password for a user who lost it.
	

	Once again, the password is predictable, thus bypasses  all  limitations
	of using a valid mailbox for user registration  (user  can  use  a  fake
	E-Mail address, and still know his password)
	

	In Lib/user_register.pl:
	

	<snip>

	   if ($r_in->{\'command\'} eq \'register\') {

	

	</snip>

	<snip>

	      if ($r_setup->{\'auth_register_via_email\'} eq \'on\') {

	         my $session = get_session_id();

	         $r_in->{\'password\'} = substr($session,3,6);

	</snip>

	

SOLUTION

	See link below (patches both bugs) :
	

	http://www.dcscripts.com/bugtrac/DCForumID7/3.html