[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Cuteflow Version 2.10.3 "edituser.php" Security Bypass Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Cuteflow Version 2.10.3 "edituser.php" Security Bypass Vulnerability
From: hever@xxxxxxxxxxxx
Date: Fri, 21 Aug 2009 12:17:35 -0600

It's possible edit the users (including the admin account), bypassing the
authentication through the address:
http://localhost/cuteflow/pages/edituser.php?userid=1&language=pt&sortby=st
rLastName&sortdir=ASC&start=1

The vulnerability is caused due to the application not properly restricting 
access to the pages/edituser.php script. This can be exploited to modify a 
user's username and password without having proper credentials.

Hever Costa Rocha

Prev by Date: Re: Clear Text Storage of Password in CS-MARS v6.0.4 and Earlier
Next by Date: DoS vulnerabilities in Mozilla Firefox, Internet Explorer and Chrome
Previous by thread: Infinity <= v2.X.X (Local File Disclosure/Auth Bypass) Vulnerabilities
Next by thread: DoS vulnerabilities in Mozilla Firefox, Internet Explorer and Chrome
Index(es):
- Date
- Thread