DUportal Multiple Hidden Form Manipulation

2003-12-18T06:24:20
ID OSVDB:3775
Type osvdb
Reporter OSVDB
Modified 2003-12-18T06:24:20

Description

Vulnerability Description

DUportal contains a flaw that allows a remote attacker to manipulate many fields to gain administrative access and more. Due to the application relying heavily on client side validation and input, an attacker can change numerous hidden fields before submitting to the server. This would allow an attacker to perform administrative actions, hijack arbitrary accounts, alter prices and more.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

DUportal contains a flaw that allows a remote attacker to manipulate many fields to gain administrative access and more. Due to the application relying heavily on client side validation and input, an attacker can change numerous hidden fields before submitting to the server. This would allow an attacker to perform administrative actions, hijack arbitrary accounts, alter prices and more.

References:

Vendor URL: http://www.duware.com/products/category.asp?iCat=8&nCat=Portal%20&%20Site Secunia Advisory ID:10456 Related OSVDB ID: 3071 Related OSVDB ID: 3772 Related OSVDB ID: 3774 Related OSVDB ID: 3773 Related OSVDB ID: 3776 Related OSVDB ID: 3269 Other Advisory URL: http://archives.neohapsis.com/archives/bugtraq/2003-12/0239.html ISS X-Force ID: 14016 Generic Exploit URL: http://www.gulftech.org/vuln/DUd3.html Bugtraq ID: 9246