HC's Capture the Flag website
CTF Contests
25C3-CTF

25C3-CTF final results

Advisory #81

From team SpaceBoyZ

New advisory by : struppi
Affected service(s): VDspi
Severity [lmh] : low

===== Problem =====

Search by ID "n" lists all records whose ID contains substring "n"

===== Impact =====

sequentially searching for IDs 1, 2, 3, ..., 9 will reveal the compelete databases contents

===== Fix =====

--- persondb.adb.before69 2008-12-29 15:38:26.000000000 -0600
+++ persondb.adb.orig 2008-12-29 13:52:31.000000000 -0600
@@ -86,7 +86,7 @@
n : ID_Type := 10 ** (Integer (Log (Long_Float (id)) / Log (10.0)) + 1);
function pred (p : Person_Type) return Boolean is
begin
- return (Person.ID (p) = id);
+ return (Person.ID (p) mod n = id);
end pred;
begin
return Search_By_Pred (db, pred'Access, process);

Rating

[0] too late

Go back

---

Impressum