|
Vignette Story Server Multiple Vulnerabilities
|
|
Secunia Advisory:
|
SA8908
|
|
|
Release Date:
|
2003-06-02
|
|
Popularity:
|
5,586 views
|
|
|
Critical:
|
Moderately critical
|
|
Impact:
|
Security Bypass
Cross Site Scripting
Manipulation of data
DoS
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | Vignette Story Server 4.x
Vignette Story Server 5.x
Vignette V6
Vignette V7
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
|
Description:
Multiple vulnerabilities have been identified in Vignette, which could possibly allow malicious users to gain system access.
User supplied text will be used and interpreted when generating pages allowing malicious users to execute arbitrary commands using Server Side Includes.
It is possible to execute arbitrary "SELECT" SQL queries using "/vgn/legacy/save". The only requirement is that the cookie "vgn_creds" is set to any value.
If a parameter contains "-->" when requesting "/vgn/login", parts of the servers memory is returned.
"/vgn/style" is publicly accessible allowing malicious people to see various system details.
"/vgn/license" is publicly accessible allowing malicious people to view and alter license information. By changing the license information it is possible to cause a Denial of Service.
It is possible to enumerate valid usernames, because Vignette returns different answers when usernames are valid and invalid.
It has been reported that it is possible to execute arbitrary TCL code, because input from HTTP_QUERY_STRING, HTTP_COOKIE and HTTP_REFERER are used in an insecure way. However, other reports claims that this can only be exploited to conduct Cross Site Scripting. The following scripts are affected:
/vgn/ac/edit
/vgn/ac/index
/vgn/vr/Editing
/vgn/vr/Select
/vgn/legacy/edit
/vgn/ppstats
Furthermore, multiple issues of lacking input validation in various scripts have been identified allowing malicious people to conduct Cross Site Scripting.
NOTE: Not all vulnerabilities have been reported for all versions.
Solution:
It has been reported that updates are available from the vendor.
Provided and/or discovered by:
rpinuaga, s21sec.
Original Advisory:
http://www.s21sec.com/en/avisos/s21sec-016-en.txt
http://www.s21sec.com/en/avisos/s21sec-017-en.txt
http://www.s21sec.com/en/avisos/s21sec-018-en.txt
http://www.s21sec.com/en/avisos/s21sec-019-en.txt
http://www.s21sec.com/en/avisos/s21sec-020-en.txt
http://www.s21sec.com/en/avisos/s21sec-021-en.txt
http://www.s21sec.com/en/avisos/s21sec-023-en.txt
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
