S21SEC-017 - Vignette /vgn/legacy/save SQL access

From: S21SEC (vul-serv_at_s21sec.com)
Date: 05/26/03

  • Next message: S21SEC: "S21SEC-020 - Vignette user enumeration"
    Date: Mon, 26 May 2003 16:09:14 +0200
    To: bugtraq@securityfocus.com
    
    

    ###############################################################
    ID: S21SEC-017-en
    Title: Vignette /vgn/legacy/save SQL access
    Date: 15/03/2003
    Status: Vendor contacted and solution available
    Scope: Execution of SQL SELECT calls
    Platforms: All
    Author: rpinuaga
    Location: http://www.s21sec.com/es/avisos/s21sec-017-en.txt
    Release: External
    ###############################################################

                                    S 2 1 S E C

                               http://www.s21sec.com

                       Vignette /vgn/legacy/save SQL access

    About Vignette
    --------------

    Vignette develops Content Management and Application Portal Software.

    Description of vulnerability
    ----------------------------

    Vignette Software installs by default some help applications under de /vgn web directory.

    One of this utilities is the Vignette Legacy Tool. This application is accessed through it's main template /vgn/legacy/edit. This template is protected by the [ NEEDS LOGIN ] directive and it's not accesible for unauthenticated users.

    The problem is that the real job of this application is carried by the /vgn/legacy/save template, which is not protected.

    The only check that is done is in the RECORD directive. But this check is easyly bypassed.

    The check only looks for an vgn_creds cookie, but it does not check it's content. So what is only needed to do a succesful query is to put some random value on this cookie.

    This way it's possible to do a SELECT query, over any SQL table that is accesible from the Vignette user that has access to the database.

    Affected Versions and platforms
    -------------------------------

    This vulnerability has been tested in Vignette StoryServer 4, StoryServer 5 and Vignette V/5. But it seems that all currently avaliable versions are vulnerable.

    Solution
    --------

    Insert a [ NEEDS LOGIN ] directive in the top of the source code for the /vgn/legacy/save template.
    Vignette users should procceed to contact vignette throught the standard channels VOLS etc in order to get a solution.

    Additional information
    ----------------------

    These vulnerabilities have been found and researched by:

     Ramon Pinuaga Cascales rpinuaga@s21sec.com

    You can find the last version of this warning in:

            http://www.s21sec.com/es/avisos/s21sec-017-en.txt

    And other S21SEC warnings in http://www.s21sec.com/es/avisos/


  • Next message: S21SEC: "S21SEC-020 - Vignette user enumeration"

    Relevant Pages