[NEWS] Vignette Server SSI Injection

• Previous message: SecuriTeam: "[NEWS] Vignette /vgn/legacy/save SQL Access"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 31 May 2003 10:55:25 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  Vignette Server SSI Injection
------------------------------------------------------------------------

SUMMARY

 <http://www.vignette.com/> Vignette develops Content Management and
Application Portal Software. A vulnerability in the Vignette server allows
attackers to not only inject arbitrary code into web pages but also cause
it to be executed.

DETAILS

Vulnerable systems:
This vulnerability has been tested in Vignette StoryServer 4, StoryServer
5, Vignette V/5 and Vignette V/6.

Vignette Software contains a vulnerability that permits the injection of
Server Side Include Scripting under certain circumstances.

One such circumstance is, if one Vignette Application takes a text
variable sent by an external web client, and shows it after processing,
then it is possible to insert in this variable SSI commands.

Further, if the SSI EXEC feature is enabled, the bug can lead to remote
command execution, under the privileges of the Vignette Process. It is
important to note that the bug does not only affect the default Vignette
Applications, but also affects all the applications developed over the
Vignette Server Software.

Solution:
Vignette users should proceed to contact Vignette through the standard
channels VOLS etc in order to get a solution.

ADDITIONAL INFORMATION

The original advisory can be downloaded from:
 <http://www.s21sec.com/es/avisos/s21sec-016-en.txt>
http://www.s21sec.com/es/avisos/s21sec-016-en.txt

The information has been provided by <mailto:vul-serv@s21sec.com> S21SEC.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] Vignette /vgn/legacy/save SQL Access"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]