Hello list! This is Insufficient Authorization vulnerability in Act. It is conference software on Perl. Besides Insufficient Authorization, there are a lot of other vulnerabilities in Act. ------------------------- Affected products: ------------------------- Vulnerable are all versions of Act (they fixed this hole at July 27, 2013). The developers don't use version numbers for their software. ------------------------- Affected vendors: ------------------------- Act - A Conference Toolkit http://act.mongueurs.net ---------- Details: ---------- Insufficient Authorization (WASC-02): http://site/edittalk?talk_id=1 Any authenticated user can edit arbitrary talks (by setting id). And also to delete them (via edit function). This vulnerability can be used to sabotage conference by deleting all talks. ------------ Timeline: ------------ 2013.07.14 - informed organizers of YAPC::Europe 2013, on which site I've found this and other holes. They ignored to fix this and all other holes at their site (which they had for 10 years while use Act), arguing that developers of Act should do that and they don't care about security of their site. 2013.07.14 - informed Act developers. They hadn't answered. 2013.07.16 - announced at my site. 2013.07.27 - developers fixed this vulnerability (without answering and thanking) (https://github.com/book/Act/commit/e9c5257594f7eb69c4f935fb14fadb1bc79b46d7). 2013.08.29 - disclosed at my site (http://websecurity.com.ua/6657/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua