Livetecs Timelive 6.2.71 Unauthenticated Access

2014-04-23T00:00:00
ID PACKETSTORM:126292
Type packetstorm
Reporter Richard Hatch
Modified 2014-04-23T00:00:00

Description

                                        
                                            `Vulnerability title: Unauthenticated access to sensitive information and  
functionality in Livetecs Timelive  
CVE: CVE-2014-1217  
Vendor: Livetecs  
Product: Timelive  
Affected version: 6.2.71  
Fixed version: 6.2.8  
Reported by: Richard Hatch  
  
Details:  
It was possible to access a URL that allowed unauthenticated access  
to sensitive configuration change functionality, and also revealed the  
database connection  
string (including authentication credentials) used by TimeLive to access  
the database.  
  
The following URL was identified:  
http://MyTimeLiveServer/home/systemsetting.aspx  
  
Note: This URL was identified by entering "timelive default credentials"  
into the Google  
Internet search engine. At time of writing the URL was revealed by the  
first result returned  
by Google.  
  
  
Further details at:  
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1217/  
  
  
Copyright:  
Copyright (c) Portcullis Computer Security Limited 2014, All rights  
reserved worldwide. Permission is hereby granted for the electronic  
redistribution of this information. It is not to be edited or altered in  
any way without the express written consent of Portcullis Computer  
Security Limited.  
  
Disclaimer:  
The information herein contained may change without notice. Use of this  
information constitutes acceptance for use in an AS IS condition. There  
are NO warranties, implied or otherwise, with regard to this information  
or its use. Any use of this information is at the user's risk. In no  
event shall the author/distributor (Portcullis Computer Security  
Limited) be held liable for any damages whatsoever arising out of or in  
connection with the use or spread of this information.  
`