In-Reply-To: <20030227071424.25278.qmail@www.securityfocus.com> >Received: (qmail 11401 invoked from network); 27 Feb 2003 16:13:51 -0000 >Received: from outgoing2.securityfocus.com (HELO outgoing.securityfocus.com) (205.206.231.26) > by mail.securityfocus.com with SMTP; 27 Feb 2003 16:13:51 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing.securityfocus.com (Postfix) with QMQP > id EE0608F2AB; Thu, 27 Feb 2003 08:46:22 -0700 (MST) >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraq@securityfocus.com> >List-Help: <mailto:bugtraq-help@securityfocus.com> >List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> >List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Received: (qmail 26239 invoked from network); 27 Feb 2003 07:19:07 -0000 >Date: 27 Feb 2003 07:14:24 -0000 >Message-ID: <20030227071424.25278.qmail@www.securityfocus.com> >Content-Type: text/plain >Content-Disposition: inline >Content-Transfer-Encoding: binary >MIME-Version: 1.0 >X-Mailer: MIME-tools 5.411 (Entity 5.404) >From: Haluk AYDIN <haydin@biznet.com.tr> >To: bugtraq@securityfocus.com >Subject: Ecardis Password Reseting Vulnerability > > > >Hi, > >I don't know if someone has discovered this before but Ecartis 1.0.0 >(former listar) contains a vulnerability that enables an attacker to reset >passwords of any user defined on the list server, including the list >admins. > >After logging on as a non-priviledged user, Ecartis enables the user to >change his/her password, but does not ask for the old one. The first time >I have seen this, I thought that the software relies on the session >cookie, but it seems this is not the case. > >The html page contains the username in the "hidden" fields. After saving >the page on disk, then replacing all "hidden" fields with another username >which is defined in the server, and reloading the page again we can try >our chance to change the password. Just fill in the empty password fields >with a password of your choice, and click "Change Password": there you >are... You have just reset the victim's password. > >I have not tested this on different versions, but I guess it will work for >all of them. I would appreciate any comments on the issue. > >Regards, > Thank you for bringing this to our attention, it was fixed only a few hours after recieving this. The FreeBSD port (which I maintain) has also been updated Please use snapshot versions after 20030227, and make sure the FreeBSD port is update as well. -Trish Lynch - ecartis core team.
