 » 
IBuySpy Insecure!
I don't kno if any r aware of this, but thanx 2 Papa Doc, I now am & thought I'd spread the word.
For those unfamilar IBuySpy is a framework 4 a webbased portal app, that many use 2 run sites/w. Amongst other things there is a serious prob in the users reg mod (register.aspx).
"If a user tries to register/create an account with an email address that is already in the database, the registration module will log the user on as the account belonging to the email address, regardless of the name, password, or other information supplied!"
Now, what that means is that if a person registers w/email address of an admin, that person now has full admin rights! That person can now add/edit/del almost all content on the site, plus give access2 the user database which passwords r in pain text.
2 fix this;
Admin/Register.aspx.vb
Now, look 4 the line that calls the "AddUser" function, change 2 this:
If accountSystem.AddUser(Name.Text, FName.Text, LName.Text, Reference.Text, Email.Text, Password.Text) } 0 Then
It's 2 my understanding that that will fix the prob, but be fore warned. IBuySpy is an insecure app!
For more input check out 2600 spring issue, Papa Doc has a VBScript for this prob that's worth checking out.
| 
Linear Mode
