Vignette save Template SQL Access

2003-05-26T09:09:14
ID OSVDB:4909
Type osvdb
Reporter Ramon Pinuaga Cascales(rpinuaga@s21sec.com)
Modified 2003-05-26T09:09:14

Description

Vulnerability Description

Vignette and StoryServer products contain a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered due to a lack of validation of user credentials on the Vignette Legacy Tool, allowing an attacker to inject arbitrary SQL SELECT statements over any SQL table accesible from the Vignette user, resulting in a loss of confidentiality.

Technical Description

One of the default utilities installed under the /vgn directory, the Vignette Legacy Tool, has user restrictions enforced by the [ NEEDS LOGIN ] directive in the main "/vgn/legacy/edit" template, however actions from this template are performed by another template ("/vgn/legacy/save") that lacks the same restrictive directive, allowing a remote attacker to query the database for information using SQL Select's. Note that Vignette has stated that "this template is a sample, which cannot be launched to a live CDS unless explicitly specified.".

Solution Description

For an upgrade or patch information, Vignette costumers should contact Technical Support. It is also possible to correct the flaw by implementing the following workaround(s):

Insert a [ NEEDS LOGIN ] directive in the top of the source code for the /vgn/legacy/save template.

Short Description

Vignette and StoryServer products contain a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered due to a lack of validation of user credentials on the Vignette Legacy Tool, allowing an attacker to inject arbitrary SQL SELECT statements over any SQL table accesible from the Vignette user, resulting in a loss of confidentiality.

References:

Mail List Post: http://cert.uni-stuttgart.de/archive/bugtraq/2003/05/msg00284.html ISS X-Force ID: 12076 Generic Informational URL: http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0085.html CVE-2003-0399 Bugtraq ID: 7683