Allaire Forums allows users full access to secured conferences
| allaire-forums-allaccess (4226) |  Medium Risk |
Description:
Allaire Forums could allow a remote user to view and post to secure discussion threads in an insecure manner. Due to improper handling of variable "rightAccessAllForums", an attacker could access conferences that they did not belong to, by using unsecured conferences or email.
Platforms Affected:
- Macromedia, Allaire Forums
Remedy:
Obtain the appropriate patch, available from the Allaire Web site, as listed in Allaire Security Bulletin ASB00-06. See References.
Consequences:
Gain Access
References:
- Macromedia/Allaire Security Bulletin ASB00-06, Patch Available for Allaire Forums 2.0.5 security issue at http://www.macromedia.com/v1/handlers/index.cfm?ID=15099.
- BID-1085: Allaire Forums "rightAccessAllForums" Vulnerability
- CVE-2000-0297: Allaire Forums 2.0.5 allows remote attackers to bypass access restrictions to secure conferences via the rightAccessAllForums or rightModerateAllForums variables.
- OSVDB ID: 1270: Allaire Forums rightAccessAllForums Privilege Escalation
Reported:
Apr 03, 2000
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net