Web Wiz Forum未授权私人版块访问漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107567 漏洞类型 访问验证错误
发布时间 2003-11-03 更新时间 2006-09-22
CVE编号 CVE-2003-1176 CNNVD-ID CNNVD-200312-150
漏洞平台 ASP CVSS评分 6.4
|漏洞来源
https://www.exploit-db.com/exploits/23331
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-150
|漏洞详情
WebWizForum是英国WebWiz公司的一套基于Web的免费论坛软件。WebWizForum不正确处理使用'quote'模式的畸形请求,远程攻击者可以利用这个漏洞未授权访问私人版块。当使用"quote"模式时,WebWizForum由于没有充分检查是否对论坛和消息的请求,可导致远程攻击者在本来不允许访问的私人版块中读取和张贴消息。
|漏洞EXP
source: http://www.securityfocus.com/bid/8957/info

A vulnerability has been reported in Web Wiz Forum that could allow unauthorized access to private forums. The problem occurs when handling malformed requests that make use of 'quote' mode. When this mode is used, Web Wiz Forum will allegedly fail to carry out sufficient checks between the requested forum and message. As a result, an attacker could potentially read or write to a private forum.

http://www.example.com/post_message_form.asp?mode=quote&PID=1111&FID=1&TID=11&TPN=1
|参考资料

来源:BUGTRAQ
名称:20031104Re:UnauthorizedaccessinWebWizForum
链接:http://www.securityfocus.com/archive/1/343314
来源:XF
名称:webwizforums-quotemode-message-access(13581)
链接:http://xforce.iss.net/xforce/xfdb/13581
来源:BID
名称:8957
链接:http://www.securityfocus.com/bid/8957
来源:BUGTRAQ
名称:20031102UnauthorizedaccessinWebWizForum
链接:http://www.securityfocus.com/archive/1/343175
来源:OSVDB
名称:2768
链接:http://www.osvdb.org/2768
来源:SECTRACK
名称:1008100
链接:http://securitytracker.com/id?1008100
来源:SECUNIA
名称:10137
链接:http://secunia.com/advisories/10137
来源:NSFOCUS
名称:5625
链接:http://www.nsfocus.net/vulndb/5625