SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Ultimate Bulletin Board Vendors:   Infopop
(Vendor Announces Fix) Re: Ultimate Bulletin Board from Infopop Lets Moderators View Restricted Administrator Forums
SecurityTracker Alert ID:  1001256
SecurityTracker URL:  http://securitytracker.com/id/1001256
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 7 2001
Impact:   User access via network

Version(s): 5.47e
Description:   A reported vulnerability in Infopop's Ultimate Bulletin Board allows authorized "moderators" to view forums otherwise restricted to "administrators."

A previous security problem made it possible for an unauthorized user to read in private, password-protected forums by using a specially crafted query string with the postings.cgi script:

'action=reply&forum=doesnotmatter&number=1&topic=000001.cgi&TopicSubject=doesnotmatter&replyto=0',

where the "number" is set to the number of the private form, and "topic" and "replyto" are set to the number of the message to be read.

This previous security vulnerability has reportedly been partially fixed. It is still possible for "moderators" to read an "administrators" forum.

Vendor has been contacted.
Impact:   An authorized user with "moderator" privileges can view forums otherwise restricted to users with "administrator" privileges.
Solution:   The vendor notes that version 5.47e is an older version that is no longer maintained and that versions 6.0, 6.01, 6.02, and 6.03(the current version) do not have this vulnerability. A patch for 5.47e will be available shortly.
Vendor URL:  www.infopop.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Apr 6 2001 Ultimate Bulletin Board from Infopop Lets Moderators View Restricted Administrator Forums


 Source Message Contents
Date:  Fri, 6 Apr 2001 20:17:04 -0000
Subject:  Re: Ultimate Bulletin Board Version 5.47e


In regards to the bugtraq report on Ultimate 
Bulletin Board™ version 5.47e:

Version 5.47e is an older, no longer maintained 
version of the Ultimate Bulletin Board. Versions 
6.0, 6.01, 6.02, and 6.03(the current version) do 
not have this liability.

Earlier this week Infopop Corporation sent an 
email out to the email address of record of every 
single current Ultimate Bulletin Board™ license 
holder informing them that series 6 is available 
to them in our Members area. Upgrades to the 
software are free provided the license holder 
maintains a valid Members Area subscription.

Infopop Corporation urges "ultimator303" and every 
license holder to log into our Members Area and 
download the most current version of the software.

Infopop Corporation will release a patch to 5.47e 
in the Members Area later today for those people 
who for some reason feel they must still run an 
outdated and umaintained version of the software.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC