lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 12 Dec 2011 13:05:09 +1100
From: Troy Rose <troy@...security.com.au>
To: bugtraq@...urityfocus.com
Subject: OSI Security: Squiz Matrix - User Account Enumeration

Squiz Matrix - User Account Enumeration
http://www.osisecurity.com.au/advisories/squiz-matrix-user-enumeration

Release Date:
12-Dec-2011

Software:
Squiz - Matrix
http://www.squiz.net/

"Squiz Matrix delivers highly flexible and robust business integration
engine and application development tools. It is an evolution, and the
latest release, of the very successful MySource Matrix content
management system."

Versions tested / affected:
Squiz Matrix 4.6.0

Vulnerability discovered:

User Account Enumeration and User Account Information Disclosure

Vulnerability impact:

Low - Remote user accounts can be ascertained, and then possibly used
to further gain access to valid credentials.

Vulnerability information:

Most information in Squiz Matrix CMS, including users, are stored as
entites called "assets". This includes user accounts. By enumerating
all assets, it is possible to determine if the asset is a user account
by viewing the web page of a given asset by looking for the asset name
prepended by a "~" character. Furthermore, if a valid user account
asset is found, under most conditions tested, it is possible to
disclose
the user's account's full name/description by looking at the user's
asset offset by -2.

Example :

http://[target]/?a=1000

You do not have permission to access <i>~test</i>

http://[target]/?a=998

You do not have permission to access <i>Test Account</i>

Recommendation:

Upgrade to version 4.4.5 or 4.6.1

Workaround:

N/A.

Credit:
This vulnerability was disclosed by Troy Rose

Disclosure timeline:
05-Oct-2011 - Discovered during audit.
08-Nov-2011 - Notified vendor. Vendor response.
11-Nov-2011 - Vendor patched in CVS repository.
11-Nov-2011 - Vendor announces release of v4.4.5 and 4.6.1
05-Dec-2011 - Vendor releases v4.4.5 and 4.6.1
12-Dec-2011 - Disclosure.

About OSI Security:

OSI Security is an independent network and computer security auditing
and consulting company based in Sydney, Australia. We provide internal
and external penetration testing, vulnerability auditing and wireless
site audits, vendor product assessments, secure network design,
forensics and risk mitigation services.

We can be found at http://www.osisecurity.com.au/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ