DUportal U_ACCESS Administrator Access

2003-12-18T06:24:20
ID OSVDB:3773
Type osvdb
Reporter OSVDB
Modified 2003-12-18T06:24:20

Description

Vulnerability Description

DUportal contains a flaw that allows any new user to gain administrative access during account creation. The flaw is due to the application not validating input to the U_ACCESS field value. This allows an attacker to set the account access level to an arbitrary access level such as "admin" instead of "user".

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

DUportal contains a flaw that allows any new user to gain administrative access during account creation. The flaw is due to the application not validating input to the U_ACCESS field value. This allows an attacker to set the account access level to an arbitrary access level such as "admin" instead of "user".

References:

Vendor URL: http://www.duware.com/products/category.asp?iCat=8&nCat=Portal%20&%20Site Secunia Advisory ID:10456 Related OSVDB ID: 3071 Related OSVDB ID: 3772 Related OSVDB ID: 3774 Related OSVDB ID: 3775 Related OSVDB ID: 3776 Related OSVDB ID: 3269 Other Advisory URL: http://archives.neohapsis.com/archives/bugtraq/2003-12/0239.html ISS X-Force ID: 14016 Generic Exploit URL: http://www.gulftech.org/vuln/DUd3.html Bugtraq ID: 9246