Web Wiz Forums quote mode allows access to messages
| webwizforums-quotemode-message-access (13581) |  Medium Risk |
Description:
Web Wiz Forums could allow a remote attacker to obtain unauthorized access to messages. A remote attacker can send a specially-crafted request to the post_message_form.asp using quote mode, which would allow the attacker to read and post to messages in private forums.
Platforms Affected:
- Bruce Corkhill, Web Wiz Forums 6.34
- Bruce Corkhill, Web Wiz Forums 7.01
- Bruce Corkhill, Web Wiz Forums 7.5
Remedy:
Upgrade to the latest version of Web Wiz Forums (7.51 or later), available from the Web Wiz Guide Web site. See References.
As a workaround, apply the fix as listed in the Securiteam Mailing List, Windows NT focus posting dated 2 Nov 2003. See References.
Consequences:
Obtain Information
References:
- SecuriTeam Mailing List, Windows NT focus 2 Nov 2003, Unauthorized Message Access in Web Wiz Forums at http://www.securiteam.com/windowsntfocus/6Y0040K8UC.html.
- Web Wiz Guide Web site, Web Wiz Forums - Forum Software Download at http://www.webwizguide.info/web_wiz_forums/forum_download.asp?mode=forum.
- BID-8957: Web Wiz Forum Unauthorized Private Forum Access Vulnerability
- CVE-2003-1176: post_message_form.asp in Web Wiz Forums 6.34 through 7.5, when quote mode is used, allows remote attackers to read or write to private forums by modifying the FID (forum ID) parameter.
- OSVDB ID: 2768: Web Wiz Forums Unauthorized Message Access
- SA10137: Web Wiz Forums Unauthorised Message Access Vulnerability
- SECTRACK ID: 1008100: (Vendor Issues Fix) Re: Web Wiz Forums Discloses Private Messages to Remote Users
Reported:
Nov 02, 2003
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net