Vignette SSI Include Arbitrary Code Execution

2003-05-26T09:07:22
ID OSVDB:4913
Type osvdb
Reporter Ramon Pinuaga Cascales(rpinuaga@s21sec.com)
Modified 2003-05-26T09:07:22

Description

Vulnerability Description

Vignette contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when the SSI EXEC feature is enabled in the Vignette Application. This flaw may lead to a loss of Confidentiality, Integrity and/or Availability.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Vignette has released a patch to address this vulnerability.

Short Description

Vignette contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when the SSI EXEC feature is enabled in the Vignette Application. This flaw may lead to a loss of Confidentiality, Integrity and/or Availability.

References:

Vendor Specific Solution URL: http://support.vignette.com/VOLSS/KB/View/1,,5557,00.html Secunia Advisory ID:8908 Other Advisory URL: http://marc.theaimsgroup.com/?l=bugtraq&m=105405734223874&w=2 Mail List Post: http://archives.neohapsis.com/archives/sans/2003/0074.html Mail List Post: http://cert.uni-stuttgart.de/archive/bugtraq/2003/05/msg00278.html Mail List Post: http://archives.neohapsis.com/archives/sans/2003/0076.html Keyword: Vignette StoryServer SSI ISS X-Force ID: 12077 CVE-2003-0398 Bugtraq ID: 7685