COMMAND

    surf-net ASP forum

SYSTEMS AFFECTED

    surf-net ASP forum

PROBLEM

    Mark  Lastdrager  found  following.   The  free surf-net ASP forum
    contains at  least one  major security  hole which  can be  easily
    exploited by a  malicious user.   Problem was discovered  during a
    website audit.  Anyone can become the administrator of the message
    board.

    The forum sets  a cookie 'userid'  as soon as  a user logs  on (if
    the user prefers cookies).  This cookie seems a representation  of
    some kind  of the  real userid.   When auditing,  we first  got  a
    cookie with  userid '2666664'  (with real  userid 3,  registration
    page  returns  this  number),  and  after  we  registered a second
    userid '3555552'  (with real  userid 4)  it wasn't  hard to  guess
    that the  admin user  would have  the userid  '0888888' (thus real
    userid  1).   After  changing  the  local  cookie  and  restarting
    Netscape it turned out we were right.

    After that we found  and downloaded the sourcecode  and discovered
    this at line 89 of common.inc:

        lngLoggedInUserID = CLng(Request.Cookies("Forum")("UserID") / 888888)

    Which of course is not a very secure way of doing things.

SOLUTION

    Author  reacted  within  one  day  and  fixed  the problem.  Fixed
    version 2.30 should be available at

        http://www.surf-net.co.uk/asp/forum/forum_script.asp