Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: etc :: bt416.txt

Snitz Forums multiple vulns







Multiple Vulnerabilities In Snitz 3.4.0.3

-------------------------------------------

Versions Affected: 3.4.0.3 (current) / Others?

Vendor Notification: Informed

Vendor Website: http://www.snitz.com







Product Description 

-------------------------------------------

Snitz Forums is a full-featured UBB-style ASP 

discussion board application. New features in version 3.3: 

Complete Topic/Post Moderation, Topic Archiving, Subscribe 

to Board / Category / Forum / Topic, Improved unsubscribe, 

Short(er) urls, Category and Forum ordering, and Improved 

Members-page. And like always, upgrading of the database is 

done for you by the setupscript







search.asp Search Feature XSS Vulnerability

-------------------------------------------

Snitz search feature is vulnerable to XSS which

can aide an attacker in stealing cookies, and thus

compromising the account, as described below



http://path/search.asp?Search="><script>alert()</script>







Account Compromise Via Cookie Poisoning

-------------------------------------------

In order to steal another users identity, all an attacker 

needs to know is thier encrypted password. This is not

very hard to obtain using the XSS as described above, or

other methods. Once an attacker has this info, all they

have to do is login to thier normal account to get a valid

session id, close the browser, replace thier username and 

encrypted pass with that of the victim, and return to the 

site where they will be recognized as the victim.







password.asp Password Reset Vulnerability

-------------------------------------------

This is the most serious of the vulns, as it requries no

real effort and leaves the entire snitz forum open to attack.

All an attacker has to do is request a forgotten password, save

the password reset page offline,edit the member id to the desired

member id, and submit the form. The members password will then

be reset to that of the attackers choosing.







Credits

-------------------------------------------

Credits go to JeiAr of Gulftech Computers & 

CSA Security Rsearch http://www.gulftech.org



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH