Security bug found and fixed in v7.95!
Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=17104
Printed Date: 16 April 2026 at 6:30am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: Security bug found and fixed in v7.95!
Posted By: MadDog
Subject: Security bug found and fixed in v7.95!
Date Posted: 01 November 2005 at 3:39pm
|
I found a bug today in forum_posts.asp that allows any visitor to view any topic regardless of topic and forum permissions.
Download the zip below and replace forum_posts.asp with the one in your forum. I reported this bug to -boRg- so hopefully he will provide offical patch soon, but for the mean time im posting this. uploads/MadDog/2005-11-01_153828_forum_posts.zip - Download Fix Here ------------- http://www.iportalx.net" rel="nofollow"> 
|
Replies:
Posted By: Ali Bilgrami
Date Posted: 01 November 2005 at 4:55pm
can you tell me where to change forum_posts.asp??? i have some modifications done on that file. pointin out the code will be a help, if for security reasons u cant do it then kindly pm me 
|
Posted By: MadDog
Date Posted: 01 November 2005 at 5:01pm
|
Sorry but im not going to actually show the code that i changed due to security reasons. For now im not going to say. ------------- http://www.iportalx.net" rel="nofollow">
|
Posted By: Ali Bilgrami
Date Posted: 01 November 2005 at 5:20pm
no problem as i went through the updated file..i got some idea abt it...
lets see what -boRg- comes up with...and thanks for the fix :)
|
Posted By: stonecutter
Date Posted: 03 November 2005 at 11:53pm
| I applied the fix and received a VB Script Runtime error when trying to access a password restricted forum. I copied back the original file. Thanks for your efforts but for some reason it didn't work on my system. |
Posted By: WebWiz-Bruce
Date Posted: 04 November 2005 at 3:45am
|
A fix for this and some of bugs in 7.95 was released 2 days ago. Just download the latest version 7.96 ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: Ali Bilgrami
Date Posted: 04 November 2005 at 8:05am
not again 
is there a version history available or say in which files should i cut / paste or edit the code
|
Posted By: dj air
Date Posted: 04 November 2005 at 8:14am
|
there is a version history saying about the files that where edited. <--- edit --> http://www.webwiz.net/web_wiz_forums/Version%20History.txt it was 2 files forum_posts.asp and active topics.asp |
Posted By: JJLatWebWiz
Date Posted: 04 November 2005 at 12:56pm
Thanks MadDog for the catch!  Now I'll have to look through my raw server logs to see if anyone has been exploiting this.
By the way, why do you use the var "strDBTableTopics" instead of "strDbTable & "Topic"". That var is probably why stonecutter got that error. ------------- p.s. I'm not affiliated with Web Wiz Guide in any way. I'm just an average Web Wiz user repaying my debt for the use of their fine forum by trying to help other Web Wiz Guide users. |