ID OSVDB:3866 Type osvdb Reporter OSVDB Modified 2002-02-02T00:00:00
Description
Vulnerability Description
DCForum contains a flaw that allows a remote attacker to predict newly created account passwords. The issue is due to a flaw in the method user_register.pl uses when generating passwords. New passwords are created based on user information and session ID information, which is easily predictable.
Solution Description
Currently, there are no known workarounds or upgrades to correct this issue.
However, the vendor has released a patch to address this vulnerability.
Short Description
DCForum contains a flaw that allows a remote attacker to predict newly created account passwords. The issue is due to a flaw in the method user_register.pl uses when generating passwords. New passwords are created based on user information and session ID information, which is easily predictable.
References:
Vendor URL: http://www.dcscripts.com/dcforum.shtml
Vendor Specific Solution URL: http://www.dcscripts.com/bugtrac/DCForumID7/3.html
Related OSVDB ID: 2038
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-01/0455.html
ISS X-Force ID: 8044
CVE-2002-0226
Bugtraq ID: 4014
{"id": "OSVDB:3866", "bulletinFamily": "software", "title": "DCForum user_register.pl Predictable Password", "description": "## Vulnerability Description\nDCForum contains a flaw that allows a remote attacker to predict newly created account passwords. The issue is due to a flaw in the method user_register.pl uses when generating passwords. New passwords are created based on user information and session ID information, which is easily predictable.\n\n\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. \nHowever, the vendor has released a patch to address this vulnerability.\n## Short Description\nDCForum contains a flaw that allows a remote attacker to predict newly created account passwords. The issue is due to a flaw in the method user_register.pl uses when generating passwords. New passwords are created based on user information and session ID information, which is easily predictable.\n\n\n## References:\nVendor URL: http://www.dcscripts.com/dcforum.shtml\nVendor Specific Solution URL: http://www.dcscripts.com/bugtrac/DCForumID7/3.html\n[Related OSVDB ID: 2038](https://vulners.com/osvdb/OSVDB:2038)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-01/0455.html\nISS X-Force ID: 8044\n[CVE-2002-0226](https://vulners.com/cve/CVE-2002-0226)\nBugtraq ID: 4014\n", "published": "2002-02-02T00:00:00", "modified": "2002-02-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:3866", "reporter": "OSVDB", "references": [], "cvelist": ["CVE-2002-0226"], "type": "osvdb", "lastseen": "2017-04-28T13:19:58", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "6c3f03eb9dc59693079db46d65597316"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "912c05eeb29540a6ade3c8ff411d5b57"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "543c07eed4e02c565cee63ec96817b0b"}, {"key": "href", "hash": "e572c1dd9a65014a022ff2ad3b8fcdcf"}, {"key": "modified", "hash": "da726b1fdf0c5fef343853ecf49a7cf5"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "da726b1fdf0c5fef343853ecf49a7cf5"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "955b328dc7cd615c13af5464c9183464"}, {"key": "title", "hash": "ccc91bf3ca399aada097c0d205cd1414"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "hash": "a19c83faccb282070590ce0d1ed8c0d765abc1d82177dbe4e8efc516e36852b1", "viewCount": 0, "objectVersion": "1.2", "affectedSoftware": [{"name": "DCForum", "operator": "eq", "version": "6.21"}, {"name": "DCForum 2000", "operator": "eq", "version": "1.0"}, {"name": "DCForum", "operator": "eq", "version": "5.0"}, {"name": "DCForum", "operator": "eq", "version": "6.0"}], "enchantments": {"vulnersScore": 5.4}}
{"result": {"cve": [{"id": "CVE-2002-0226", "type": "cve", "title": "CVE-2002-0226", "description": "retrieve_password.pl in DCForum 6.x and 2000 generates predictable new passwords based on a sessionID, which allows remote attackers to request a new password on behalf of another user and use the sessionID to calculate the new password for that user.", "published": "2002-05-16T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0226", "cvelist": ["CVE-2002-0226"], "lastseen": "2017-04-18T15:49:35"}], "osvdb": [{"id": "OSVDB:2038", "type": "osvdb", "title": "DCForum retrieve_password.pl Predictable Password ", "description": "## Vulnerability Description\nDCForum contains a flaw that allows a remote attacker to predict newly created account passwords. The issue is due to a flaw in the method retrieve_password.pl uses when generating passwords. New passwords are created based on user information and session ID information, which is easily predictable.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. \nHowever, the vendor has released a patch to address this vulnerability.\n## Short Description\nDCForum contains a flaw that allows a remote attacker to predict newly created account passwords. The issue is due to a flaw in the method retrieve_password.pl uses when generating passwords. New passwords are created based on user information and session ID information, which is easily predictable.\n## References:\nVendor URL: http://www.dcscripts.com/dcforum.shtml\nVendor Specific Solution URL: http://www.dcscripts.com/bugtrac/DCForumID7/3.html\n[Related OSVDB ID: 3866](https://vulners.com/osvdb/OSVDB:3866)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-01/0396.html\nISS X-Force ID: 8044\n[CVE-2002-0226](https://vulners.com/cve/CVE-2002-0226)\nBugtraq ID: 4014\n", "published": "2002-01-31T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:2038", "cvelist": ["CVE-2002-0226"], "lastseen": "2017-04-28T13:19:56"}]}}