OSVDB ID: 10663

Title: DUclassmate account.asp MM-recordId Parameter Arbitrary Password Modification

Info

Disclosure

Oct 12, 2004

Discovery

Unknown

Dates

Exploit

Oct 11, 2004

Solution

Unknown

Description

DUclassmate contains a flaw in the 'account.asp' script that may lead to an unauthorized password exposure. It is possible to change other users passwords by altering the 'MM-recordId' value on the 'My Account' page, which may lead to a loss of integrity.

Classification

Location: Remote/Network Access Required
Attack Type: Authentication Management, Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Available
Disclosure: OSVDB Verified

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

DUware

DUclassmate

1.2

References

Security Tracker: 1011597
Bugtraq ID: 11363
ISS X-Force ID: 17682
CVE ID: 2004-2198 (see also: NVD)
Vendor URL: http://www.duware.com/products/detail.asp?iPro=34&iCat=9&nCat=Ad%20Management

Credit

Soroush Dalili - irsdlyahoo.com - Grayhatz security group

Direct URL: http://osvdb.org/36218