CVE-2005-4448

Properties

Published:
20.12.2005
Updated:
21.12.2005
Patch available:
Severity:
High
CVSS vector:
(AV:R/AC:L/Au:NR/C:C/I:C/A:C/B:N)
Product:
FlatNuke: FlatNuke

Vulnerability description

FlatNuke 2.5.6 verifies authentication credentials based on an MD5 checksum of the admin name and the hashed password rather than the plaintext password, which allows attackers to gain privileges by obtaining the password hash (possibly via CVE-2005-2813), then calculating the credentials and including them in the secid cookie.

References:

BUGTRAQ: http://www.securityfocus.com/archive/1/419107
http://cvs.sourceforge.net/viewcvs.py/flatnuke/flatnuke/Changelog?rev=1.78&view=markup: http://cvs.sourceforge.net/viewcvs.py/flatnuke/flatnuke/Changelog?rev=1.78&view=markup
BID: http://www.securityfocus.com/bid/15796
SECTRACK: http://securitytracker.com/id?1015339
XF: http://xforce.iss.net/xforce/xfdb/22159
http://cvs.sourceforge.net/viewcvs.py/flatnuke/flatnuke/Changelog?rev=1.78&view=markup: http://cvs.sourceforge.net/viewcvs.py/flatnuke/flatnuke/Changelog?rev=1.78&view=markup