Hi all again! This bug works only when password changes using "Forgotten your password?" future.
The user code is changed when changing the password using "user profile". Sorry for my mistake. ----- Original Message ----- From: "Alexander" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: "Bruce Corkhill" <[EMAIL PROTECTED]> Sent: Wednesday, March 03, 2004 12:20 AM Subject: Authentication flaw in Web Wiz forum > Product: Web Wiz forum 7.0-7.7a www.webwizforum.com > > Risk: Medium > > Date: 02 March, 2004 > > Autor: Pig Killer and Michael ( www.SecurityLab.ru) > > > > When user log on forum, for his cookies identification forum using User_code > value from tblAutor table from underlying database, which doesn't change > with changing of password. As a result, when user change password, he can > register in the forum using old cookies. As a result, if users cookies was > compromised (for example by XSS), then even password changing will doesn't > protect his account from unauthorized using. > > > > The forum also allows logged in user to change the password without entering > the old one. Thus, having cookie, you can change the password without > knowing the old one. > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html