---------------------------------------------------------------------- Proof-of-Concept (PoC) and Extended Analysis available for customers. Get a free trial, contact sales@secunia.com ---------------------------------------------------------------------- TITLE: Ektron CMS400.NET Multiple Vulnerabilities SECUNIA ADVISORY ID: SA39547 VERIFY ADVISORY: http://secunia.com/advisories/39547/ DESCRIPTION: Some vulnerabilities have been reported in Ektron CMS400.NET, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to disclose sensitive information, conduct cross-site scripting attacks, or bypass certain security restrictions. 1) Input passed via the "info" parameter to WorkArea/reterror.aspx or via the "selectids" parameter to workarea/medialist.aspx is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) Access to a diagnostics page is not properly restricted, which can be exploited to disclose potentially sensitive information, e.g. session information, software version, or applied security settings. 3) An error in the authentication mechanism can be exploited to access the WorkArea of users by manipulating the "emc" cookie and e.g. disclose names and email addresses. 4) An error in the XML parser can be exploited to e.g. read arbitrary files from the local system via external entities specified in XML data passed via a web form or the SOAP interface. 5) Access to multiple scripts in the "/WorkArea" directory is not properly restricted, which can be exploited to access pages with potentially administrative functionality. Successful exploitation allows e.g. to enumerate names and email address. Some pages may require authentication. 6) An error in workarea/blankredirect.aspx allows redirection to an arbitrary web page. The vulnerabilities are reported in version 7.5.2.49. Other versions may also be affected. SOLUTION: It is currently unclear whether fixes to these vulnerabilities exist. Filter malicious requests in a proxy and restrict network access to the SOAP interface and the "workarea" directory. PROVIDED AND/OR DISCOVERED BY: Richard Moore and Rohan Stelling, Westpoint Limited ORIGINAL ADVISORY: Westpoint: http://www.westpoint.ltd.uk/advisories/wp-09-0005.txt http://www.westpoint.ltd.uk/advisories/wp-09-0006.txt http://www.westpoint.ltd.uk/advisories/wp-09-0007.txt http://www.westpoint.ltd.uk/advisories/wp-09-0008.txt http://www.westpoint.ltd.uk/advisories/wp-09-0009.txt http://www.westpoint.ltd.uk/advisories/wp-09-0010.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------