Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29730
HistorySep 09, 2013 - 12:00 a.m.

Insufficient Authorization vulnerability in Act

2013-09-0900:00:00
vulners.com
10
JSON

Hello 3APA3A!

This is Insufficient Authorization vulnerability in Act. It is conference software on Perl.

Besides Insufficient Authorization, there are a lot of other vulnerabilities in Act.

Affected products:

Vulnerable are all versions of Act (they fixed this hole at July 27, 2013). The developers don't use version numbers for their software.

Affected vendors:

Act - A Conference Toolkit
http://act.mongueurs.net

Details:

Insufficient Authorization (WASC-02):

http://site/edittalk?talk_id=1

Any authenticated user can edit arbitrary talks (by setting id). And also to delete them (via edit function).

This vulnerability can be used to sabotage conference by deleting all talks.

Timeline:

2013.07.14 - informed organizers of YAPC::Europe 2013, on which site I've found this and other holes. They ignored to fix this and all other holes at their site (which they had for 10 years while use Act), arguing that developers of Act should do that and they don't care about security of their site.
2013.07.14 - informed Act developers. They hadn't answered.
2013.07.16 - announced at my site.
2013.07.27 - developers fixed this vulnerability (without answering and thanking) (https://github.com/book/Act/commit/e9c5257594f7eb69c4f935fb14fadb1bc79b46d7).
2013.08.29 - disclosed at my site (http://websecurity.com.ua/6657/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

JSON