myreview-disclose.txt

`Incorrect management of the submission and camera ready versions of  
submitted papers to the MyReview system lets unintended users download  
these documents. This information leakage can be used to illegally  
retrieve sensitive or licensed documents.  
  
I. Description  
The MyReview web application is an open-source web application used in  
the research community To manage the paper submission and paper review  
phases of conferences. Based on the well known PHP+MySQL framework and  
distributed under the GNU General Public License, it has been used by  
thousands of conferences worldwide.  
Incorrect management of the submission and camera ready versions of  
submitted papers to the MyReview system lets unintended users download  
these documents. This flaw bypass all the access controls implemented  
by the MyReview developers. This information leakage is critical as  
the documents submitted to the conferences, and mostly at the  
submission phase, contain sensitives information researchers may not  
want to be publicized.  
Besides, this flaw can be used by attackers to retrieve at will the  
final version of the documents, after the conferences is done.  
However, these final versions may be not free, as it is often the case  
for conferences.  
More information about this flaw will be publicized later on, as it  
could be used to attack existing deployment of the MyReview system.  
  
II. Impact  
Exploitation of this vulnerability could lead to the lost of the  
sensitive information managed by MyReview: submission and camera ready  
version of the submitted paper may be downloaded  
  
III. Solution  
The Laboratoire de Recherche en Informatique (LRI), which provide  
MyReview has been contacted and they receive a patch I made for this  
vulnerability. However, to avoid unpatched website attacks (which are  
very easy to do), the author decided to let the LRI making the  
decision about how to efficiently performed the update. Please see  
your vendor's advisory for updates and mitigation capabilities. A good  
point would be to subscribe to MyReview newsletter, if not done yet.  
  
Version and platform Affected  
Affected Platforms - Any  
Affected Software - MyReview, http://myreview.intellagence.eu/  
Affected Versions - Any (prior or equal to 1.9.9, as 2.0 is still in beta)  
Severity - High  
  
Requirements  
Authentication - None  
Access - Distant (Internet)  
  
References  
<to be upgraded later on>  
  
Credit  
This vulnerability was reported by Julien A. Thomas.  
Contact : [email protected]  
TELECOM Bretagne homepage: http://perso.telecom-bretagne.eu/julienthomas/  
Personal homepage: http://www.julienthomas.eu/  
  
Other Information  
Date Discovered - 16/07/2008  
Date Public - 18/07/2008  
Date First Published - 18/07/2008  
Date Last Updated - 18/07/2008  
CVE Name (candidate) - CVE-2008-3671  
  
PS: sorry if this message was sent twice put I got some mailer-daemons  
rejects ...  
  
Julien  
`