-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 29 Sep 2005 12:58:48 -0000 enji@xxxxxxxxxxxxxxxxxxxx wrote: > An attacker is able to change the username and password of a logged-in > user (and can therefore hijack his account) by tricking the user into > clicking a link to a page with the following contents: But where is a bug? I've finded one - no "old password" checking in profile changing module. Trick with the form is working for many engines, where is no HTTP_REFERER cheking. So, I think, this is a global vulnerability for all CMS where is no "old password" checking while password changing. - ------------ Легкой Смерти! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFDPCysSSlR205n6aMRAoZTAJ0dTjHUbhM864pVlXexwg0/7bLdBQCcCWBZ 6TAfcqkkEGNyRY6RcX7a1kY= =fw8k -----END PGP SIGNATURE-----
