HC's Capture the Flag website
CTF Contests
25C3-CTF
25C3-CTF final results
Advisory #58
From team h4ck!nb3rg
New advisory by : churchy
Affected service(s): ultrashare
Severity [lmh] : low
okaaayyy, here is our second try:
===== Problem =====
every user in the ultrashare application can change its password withou the need of entering the old password first - and yes, it's not an sql injection^^ (do not try to find vulns that are not there, even if it works....) just enter any old password and
wo times the new one and you are done.
===== Impact =====
as described above, once you are logged in, you can hijack the account by changing the pass without knowing the old one.
===== Fix =====
again, edit the file db.rb, function changePassword: there is an error when checking the old password. you can replace it by this:
options = login user, oldpass
if (options[:errors].length != 0) then return { :msgs => "Password could not be changed", :errors => ["Old password is not correct"]}
end
it took long, but hopefully this counts now :)
Rating
[2] Yes. This counts :-)