phpMyChat edituser.php3 do_not_login Variable Authentication Bypass

2004-04-22T00:00:00
ID OSVDB:7149
Type osvdb
Reporter HEX(hex@hex.net.ru)
Modified 2004-04-22T00:00:00

Description

Vulnerability Description

phpMyChat contains a flaw that may lead to an unauthorized information disclosure. By sending a specially crafted HTTP POST request to 'edituser.php3' where 'do_not_login' is set to 'false', a remote attacker could bypass the user authentication.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

phpMyChat contains a flaw that may lead to an unauthorized information disclosure. By sending a specially crafted HTTP POST request to 'edituser.php3' where 'do_not_login' is set to 'false', a remote attacker could bypass the user authentication.

References:

Vendor URL: http://www.phpheaven.net/rubrique4.html Security Tracker: 1010515 Secunia Advisory ID:11894 Related OSVDB ID: 7151 Related OSVDB ID: 7152 Related OSVDB ID: 7150 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-06/0252.html Mail List Post: http://seclists.org/lists/bugtraq/2004/Jun/0261.html ISS X-Force ID: 16440 CVE-2004-2715 Bugtraq ID: 10556