|
COMMAND surf-net ASP forum SYSTEMS AFFECTED surf-net ASP forum PROBLEM Mark Lastdrager found following. The free surf-net ASP forum contains at least one major security hole which can be easily exploited by a malicious user. Problem was discovered during a website audit. Anyone can become the administrator of the message board. The forum sets a cookie 'userid' as soon as a user logs on (if the user prefers cookies). This cookie seems a representation of some kind of the real userid. When auditing, we first got a cookie with userid '2666664' (with real userid 3, registration page returns this number), and after we registered a second userid '3555552' (with real userid 4) it wasn't hard to guess that the admin user would have the userid '0888888' (thus real userid 1). After changing the local cookie and restarting Netscape it turned out we were right. After that we found and downloaded the sourcecode and discovered this at line 89 of common.inc: lngLoggedInUserID = CLng(Request.Cookies("Forum")("UserID") / 888888) Which of course is not a very secure way of doing things. SOLUTION Author reacted within one day and fixed the problem. Fixed version 2.30 should be available at http://www.surf-net.co.uk/asp/forum/forum_script.asp