Vignette NEEDS Arbitrary TCL Injection

2003-05-26T09:14:17
ID OSVDB:4859
Type osvdb
Reporter Ramon Pinuaga Cascales(rpinuaga@s21sec.com)
Modified 2003-05-26T09:14:17

Description

Vulnerability Description

Vignette Content Suite V5 and V6 and Vignette StoryServer V5 contains a flaw that allows a malicious user to execute arbitrary TCL commands. The proprietary NEEDS command evaluates some unfiltered variables with the SET command. If the user injects Vignette code through those variables then it is possible to execute arbitrary TCL commands. The affected input variables are HTTP_QUERY_STRING and HTTP_COOKIE. If the Vignette/TCL escape characters "[" and "]" are included then the code between them is evaluated as valid TCL code.

Solution Description

Upgrade to version 6.0.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Vignette Content Suite V5 and V6 and Vignette StoryServer V5 contains a flaw that allows a malicious user to execute arbitrary TCL commands. The proprietary NEEDS command evaluates some unfiltered variables with the SET command. If the user injects Vignette code through those variables then it is possible to execute arbitrary TCL commands. The affected input variables are HTTP_QUERY_STRING and HTTP_COOKIE. If the Vignette/TCL escape characters "[" and "]" are included then the code between them is evaluated as valid TCL code.

References:

Related OSVDB ID: 4860 Other Advisory URL: http://bas.scheffers.net/vgn-needs-login-exploit.html Mail List Post: http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2003-05/0289.html ISS X-Force ID: 12070 CVE-2003-0405 Bugtraq ID: 7690