Security Advisory 05 – 008 – Poor Password Change Implementation
Webseries Payment Application
Vulnerability discovery and development:
Portcullis Security Testing Services
Bottomline Webseries Payment Application
The change password functionality does not require a user to enter their current password.
From a system with a valid user logged in it is a trivial matter for a malicious user to change the password of a valid user and gain full access to the account.
No exploit code required.