DUportal Account Hijacking

2003-12-18T06:24:20
ID OSVDB:3071
Type osvdb
Reporter OSVDB
Modified 2003-12-18T06:24:20

Description

Vulnerability Description

DUportal contains a flaw which allows an attacker to hijack existing accounts. The issue is due to the application using hidden fields, not user specific session IDs to track user password changes. An attacker can download the HTML forms, edit user information and re-submit to the application.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

DUportal contains a flaw which allows an attacker to hijack existing accounts. The issue is due to the application using hidden fields, not user specific session IDs to track user password changes. An attacker can download the HTML forms, edit user information and re-submit to the application.

References:

Vendor URL: http://www.duware.com/products/category.asp?iCat=8&nCat=Portal%20&%20Site Secunia Advisory ID:10456 Related OSVDB ID: 3772 Related OSVDB ID: 3774 Related OSVDB ID: 3775 Related OSVDB ID: 3773 Related OSVDB ID: 3776 Related OSVDB ID: 3269 Other Advisory URL: http://archives.neohapsis.com/archives/bugtraq/2003-12/0239.html ISS X-Force ID: 14016 Generic Exploit URL: http://www.gulftech.org/vuln/DUd3.html Bugtraq ID: 9246