3644 : DUware Multiple Products inc_menu.asp Admin Authentication Bypass
Printer | http://osvdb.org/3644 | Email This | Edit Vulnerability

Views This Week

Views All Time

Info

Last Modified

4 months ago

Percent Complete

75%

Disclosure

Jan 20, 2004

Discovery

Jan 10, 2004

Dates

Exploit

Jan 20, 2004

Solution

Unknown

Description

Multiple DUware products contain a flaw that allows a remote attacker to gain administrative privileges. The issue is due to improper authentication verification when accessing different include files. While the program will require authentication for the inc_edit.asp include file, it fails to authenticate on requests to the inc_menu.asp include file. This allows an attacker to directly request the file with administrative priveleges.

Classification

Unknown or Incomplete

Solution

Upgrade to the following versions (or higher), as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

DUclassifieds: 4.2
DUclassmate: 1.1
Duamazon: 3.1
DUforum: 3.1
DUpaypal: 3.1
DUportal: 3.1

Products

DUware	DUportal	3.0
	DUclassified	4.0
	DUclassified	4.1
	DUclassmate	1.0
	DUamazon	3.0
	DUforum	3.0
	DUpaypal	3.0

References

Other Advisory URL: http://archives.neohapsis.com/archives/vulnwatch/2004-q1/0019.html
http://www.security-corporation.com/advisories-026.html
ISS X-Force ID: 14015
Secunia Advisory ID: 10687
Vendor Specific Solution URL: http://www.duware.com/news/detail.asp?iNews=755
Vendor URL: http://www.duware.com

Manual Testing Notes

Credit

frog-m@n - rog-mansecurity-corporation.com - Security Corporation

Blogs

Provided by Technorati

None found at this time

Comments

Add Comment Hide Add Comment

No Comments.

DONATE NOW!

User Status

Account
- Login
- Sign-Up

Quick Searches

Views This Week

Views All Time

Info

Last Modified

Percent Complete

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

DUware

DUportal

DUclassified

DUclassmate

DUamazon

DUforum

DUpaypal

References

Manual Testing Notes

Credit

Blogs

Comments