If you want to go to multiple lists try sending mails one by one...
-KF
Alexander Antipov wrote:
What's shit? I did not send this message again!
--------------------------------
Received: from NETSYS.COM ([199.201.233.10]:55737 "EHLO netsys.com" smtp-auth: <none> TLS-CIPHER: <none> TLS-PEER-CN1: <none>) by mail.yandex.ru with ESMTP id <S687718AbTKFWoQ>; Fri, 7 Nov 2003 01:44:16 +0300 Received: from NETSYS.COM (localhost [127.0.0.1]) by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id hA6LbcG06235; Thu, 6 Nov 2003 16:37:38 -0500 (EST) Received: from mail.suretel.net (mail1.suretel.net [69.8.3.246]) by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id hA6LXI704437 for <[EMAIL PROTECTED]>; Thu, 6 Nov 2003 16:33:20 -0500 (EST) Received: from mail pickup service by mail.suretel.net with Microsoft SMTPSVC; Thu, 6 Nov 2003 15:32:18 -0600
--------------------------------
----- Original Message ----- From: "Alexander Antipov" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Sunday, November 02, 2003 12:49 PM
Subject: [Full-Disclosure] Unauthorized access in Web Wiz Forum
Unauthorized access in Web Wiz ForumForum2
A vulnerability has found in Web Wiz Forum (6.34, 7.01, 7.5). Remote user (authenticated or not) can read message in private forum. Remote user can post message in private forum.
Software does not compare message to forum, when "quote" mode is used. In
result, remote user (authenticated or not) can read and post message in
private forum, to which he hasn't access. Example:
User "A" has read and write access to Forum1 (FID=1) and no access to
(FID=2) and message with PID=1111 (in topic TID=11) belong toForum2(FID=2).
User "A" has no access to topic TID=11 with message PID=1111. However,user
http://webwizforum/post_message_form.asp?mode=quote&PID=1111&FID=1&TID=11&TPN=1can use "quote" mode for message PID=1111 with Forum1 (FID=1) (instead of FID=2) to read the private message and answer to it, when use follow URL:
(instead of PID=1111&FID=2&TID=11&TPN=1)strDbTable
thanks to Tecklord, Pharaoh and other moderator of http://Forum.SecurityLab.ru
Sorry for my poor English
Solution:
-- begin snip post_message_form.asp ---- 'If this is a quoted message read in the message to be quoted If strMode = "quote" Then
'Get the number this thread is after intTotalNumOfThreads = Request.QueryString("NOP")
'Get the return thread page intRecordPositionPageNum = Request.QueryString("TPN")
--- bug fix by pharaoh ----
strSQL = "SELECT " & strDbTable & "Topic.Subject FROM " &
strDbTable& "Topic " strSQL = strSQL & "WHERE " & strDbTable & "Topic.Forum_ID = " & CLng(Request.QueryString("FID")) strSQL = strSQL & "AND " & strDbTable & "Topic.Topic_ID = " & CLng(Request.QueryString("TID")) rsCommon.Open strSQL, adoCon If rsCommon.EOF Then rsCommon.Close Set rsCommon = Nothing Set adoCon = Nothing Set adoCon = Nothing Response.Redirect "insufficient_permission.asp" End If rsCommon.Close
strSQL = "SELECT " & strDbTable & "Author.Author_ID, " &
& "Author.Username, " & strDbTable & "Thread.Message "strDbTable
strSQL = strSQL & "FROM " & strDbTable & "Thread INNER JOIN " &
strDbTable & "Author ON " & strDbTable & "Thread.Author_ID = " &
& "Author.Author_ID " strSQL = strSQL & "WHERE " & strDbTable & "Thread.Thread_ID = " & CLng(Request.QueryString("PID")) strSQL = strSQL & "AND " & strDbTable & "Thread.Topic_ID = " & CLng(Request.QueryString("TID"))
rsCommon.Open strSQL, adoCon If rsCommon.EOF Then rsCommon.Close Set rsCommon = Nothing Set adoCon = Nothing Set adoCon = Nothing Response.Redirect "insufficient_permission.asp" End If --- bug fix by pharaoh ---- -- end snip post_message_form.asp ----
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html