BlogEngine.net information disclosure vulnerability

Overview

BlogEngine.net 2.8.0.0 and earlier versions contain an information disclosure vulnerability which could allow an attacker to gain access to credentials.

Description

CWE-200: Information Exposure

BlogEngine.net 2.8.0.0 and earlier contain an information disclosure vulnerability which could allow an attacker to gain access to credential information. BlogEngine.net allows unauthenticated users to view system configuration files (sioc.axd) which contain username and hashed passwords of the BlogEngine.net site.

---

Impact

An unauthenticated remote attacker could gain access to credential information on the BlogEngine.net system.

---

Solution

We are currently unaware of a practical solution to this problem.

---

Restrict access to the sioc.axd configuration file

Restrict access to the sioc.axd configuration file to trusted networks. If possible, configure management and transit networks for separate VLANs, or restrict access to the device using IP access lists.

---

Vendor Information

553166

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

BlogEngine Affected

Updated: December 10, 2013

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base	5	AV:N/AC:L/Au:N/C:P/I:N/A:N
Temporal	3.8	E:U/RL:U/RC:UC
Environmental	1.1	CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

• <http://www.dotnetblogengine.net/&gt;
• <http://cwe.mitre.org/data/definitions/200.html&gt;

Acknowledgements

Thanks to Ali Hussein of Help AG Middle East for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs:	CVE-2013-6953
Date Public:	2013-12-13 Date First Published: