IJJI: Security Question verification vulnerability

30Jun09

Product: IJJI Homepage
Class: Web-verification error
Product Details:
The IJJI content-management system requires a username, a password, and a “secret answer” (An answer to a specific question you select at registration) to modify any valuable account details (Name, address, phone number, password, e-mail, etc).

The page can be reached by clicking the My Account page on the IJJI homepage

Disclosure Details:
If the hidden field, “questiontype”, is not sent to the processing page for account data, the value of the secret answer field is treated as if it were real (Allowing an attacker to modify vital account details with only a username and password).

Disclosure Execution:

To execute such an attack, I recommend users direct themselves to the “My Account” page on the IJJI webpage (http://member.ijji.com/myProfile.nhn), then remove the following line:


<input type="hidden" name="questiontype". . .

(The ellipses don’t appear in the actual page itself; they represent the rest of the line, which may resemble value=”q1 />” or value=”q2 />”)

Advertisements


2 Responses to “IJJI: Security Question verification vulnerability”

  1. 1 x1nixmzeng

    Why don’t you mention how the POST data changes? You certainly don’t need to “remove a .. line” in order to bypass the security questions.

    • 2 majii

      I already explained in the details segment, the only matter changing in the POST data is the removal of the questiontype field.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: