okay.. well lemme find the e-mail
and i QUOTE
START QUOTE
Yo.
Yeah so the idea is, in your cgi application that your
"edit profile" form uses, if any user is signed in to
their account, while they are signed in, someone has
an ability to completely change the person's profile
(ie: change password) except for the avatar icon, and
lock em out/take over the account.
All you need to know is that the user is logged in and
their u=id where id is their user id number (u in the
form name), which can be determined by the order the
people registered. just have to put the proper number
of trailing zero's in front (easy, look at an example
from your own mbs account in the hidden input type in
the source of the html form). the message board
displays this for any user by a post (ie: ender's the
fourth member, I'm the 14th registered, etc), but if
you wanted to, say change the first registrant, which
should always be an admin (you usually got a damn good
idea who =D), or a random one, and see of they're
online, still be bad enough. Don't know about fixing
the hole, but all you have to do to preform the attack
is fill in "valid" options that the user would fill in
to their form, and just add the right user id.... you
can change the pass, displayed name, all that, as long
as all the input types meant to be submitted in your
custom made form match what they would be in the
pregiven form, and a different correct user id is
given (and they're logged in). lala, I'd suggest, if
you got the power (the source, or know enough to code
your own and change the login form) is ask for an "old
password" field, and don't have the form make any
changes without it being properly supplied to the user
account. if not, you can inform uub and complain, I
suppose.
You could even set up a script to run and send change
requests, see if their info changes, and take down the
bot when it does. just keep sending the request until
you catch them logged in if ya don't want a fluke.
very vulnerable........
PS: I still can't make a custom avatar for me (boo
hoo)
Whoo, enough ranting out of me.
END QUOTE
