Date: Fri, 15 Jan 1999 21:45:24 -0700 From: Joel Knight To: BUGTRAQ@netspace.org Subject: DPEC Online Courseware DPEC's (www.dpec.com) Online Courseware has a nasty bug in it that allows anyone to change anyone elses password without knowing what their current password is. This is NOT limited to normal user accounts, but also to the admin account(s). When a user logs in for the first time, they are required to change their password. User jblow goes to the main login page and enters his username and password. The courseware sees that he is a new user and gives jblow a second login screen asking him to verify his password; this is where the problem is. The courseware puts the following tag into the verification page: . This tag basically tells the courseware "its ok, change the current password to what the user enters and allow them to login regardless of current password (if any)". Further inspection of the verification page will find the actual password stored in an tag with the TYPE="hidden" attribute. Simply by saving a copy of this verification page to your hard drive and making the proper modifications, you can gain (administrator) access to the courseware. DPEC was notified back in Oct/Nov 1998 and basically said that there was no other way that this password verification could take place. I will not bore the Bugtraq readers with my rant on that subject :P AFAIK, in DPEC's latest release, this problem has not been fixed. -- Joel Knight jwknight@cyberlink.bc.ca PGP Key: hkp://keys.pgp.com/jwknight@cyberlink.bc.ca KeyID 2048/38C24864 Fingerprint 6D7D 1E4F 728B ACDA 6557 F3EC 85BB BA7C 38C2 4864 ------------------------------------------------------------------------ Date: Mon, 1 Feb 1999 15:49:39 -0700 From: Don Papp To: BUGTRAQ@netspace.org Subject: DPEC Online Courseware Fix On Fri, 15 Jan 1999, Joel Knight wrote: > AFAIK, in DPEC's latest release, this problem has not been fixed. DPEC has released a fix - here is the meat of it: >> Preventing unauthorized password changes: >> >> 1) Use anonymous ftp to connect to teach.dpec.com. >> >> 2) Switch to the /pub directory. >> >> 3) Select the appropriate patch file for your OS from the following list: >> >> aix_patch_990125.tar.gz >> bsdi_patch_990125.tar.gz >> digital_patch_990125.tar.gz >> hp-ux_patch_990125.tar.gz >> linux_patch_990125.tar.gz >> nt_patch_990125.zip >> solaris_patch_990125.tar.gz >> >> 4) Fetch the appropriate patch file using binary ftp. >> >> 5) Decompress and unpack the patch file. >> >> 6) Consult the readme.txt file for installation instructions. >> >> This fix will be incorporated into future versions of the courseware. | Donald Papp | Support Analyst | OA Internet Inc. | don@oa.net