Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: General :: sb5950.htm

List Site user account Hijacking



25th Jan 2003 [SBWID-5950]
COMMAND

	List Site user account Hijacking

SYSTEMS AFFECTED

	List Site Pro v2

PROBLEM

	StatiX [mail_statix@linuxmail.org] says :
	
	It is possible to take over another  user  account  by  signing  up  and
	using | in one of the  required  feilds.  List  Site  Pro  uses  '|'  to
	delimit the database but the form input is not checked and  stripped  of
	them. So a user could sign up like this
	
	username:username
	email:email@emial.com
	url:www.url.com
	bannerurl:www.site.com/banner.gif ||password|1036360992|60|468
	banner height:68
	banner width:460
	password:pass
	
	this would take over the account 1036360992 and  let  the  user  log  in
	with the password 'password' Since the user id is displayed in teh  link
	of the  topsite,  an  attacker  could  successfully  log  into  whatever
	account he chooses to. Then the  attacker  could  change  the  link  the
	banner points to, or any thing else in the account.  This  doesn't  give
	the attacker admin access. But it gives him  an  opportunity  to  render
	the topsite useless.

SOLUTION

	None yet, check :
	
	 http://www.listsitepro.com
	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH