PBLang Private Message Reply Arbitrary User Encrypted Password Disclosure

2004-09-29T22:39:53
ID OSVDB:19628
Type osvdb
Reporter n013g41()
Modified 2004-09-29T22:39:53

Description

Vulnerability Description

PBLang contains a flaw that allows an unauthorized password disclosure. It is possible to gain access to encrypted passwords by loading arbitrary user's private message files by manipulating the URL after viewing your messages. Once another user's message is loaded, an attacker can view the source to see the user's password hash.

Solution Description

Upgrade to version 4.61 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

PBLang contains a flaw that allows an unauthorized password disclosure. It is possible to gain access to encrypted passwords by loading arbitrary user's private message files by manipulating the URL after viewing your messages. Once another user's message is loaded, an attacker can view the source to see the user's password hash.

Manual Testing Notes

Register, and access private messages (PM). Send a message to yourself, view it, and then press reply. The URL shown is: /home/www/web445/html/PBL/db/pm/your-name_2_c Modify this URL to: /home/www/web445/html/PBL/db/members/ADMINISTRATOR-NAME-HERE

Then view source of the web page to see the "password" and "username" strings for the "ADMINISTRATOR-NAME-HERE" user.

References:

Vendor Specific News/Changelog Entry: http://pblforum.drmartinus.de/post.php?cat=2&fid=2&pid=29&page=1 Related OSVDB ID: 19629 Related OSVDB ID: 19632 Related OSVDB ID: 19630 Related OSVDB ID: 19631 Related OSVDB ID: 19633