Westpoint Security Advisory --------------------------- Title: Ektron CMS400.NET Information Disclosure Vulnerability Risk Rating: High Platforms: ASP.net (Windows) Discovered by: Richard Moore and Rohan Stelling Author: Paul Jones Date: 06 Oct 2009 Advisory ID#: wp-09-0006 URL: http://www.westpoint.ltd.uk/advisories/wp-09-0006.txt CVE: Overview -------- The Ektron CMS provides unauthenticated access to a diagnostics page that contains sensitive information about the www.example.com website and other sites on the same server. Details ------- The sensitive information includes: * The details required to take over the session of an authenticated user (including site administrators) * details of the software versions in use * information * about the security settings that have been applied. The information includes the session identifier of the session that was in use when errors occur. By using this information an attacker can hijack the session of another user, effectively gaining all the rights of that user. A further concern is that the information disclosed does not appear to be limited to the www.example.com website itself. For example during our testing we observed messages about sites relating to another brand such as: Exception thrown from: / Access to the path 'D:\data\secondexample\uploadedimages\Diaries\Bloggers\spacer.gif' is denied. at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileStream.Init(String path, FileMode mode, FileAccess This suggests that the sites are sharing the same server and are not fully isolated from each other. As a result a flaw in one site could have security implications for the others. Impact ------ An attacker is able to gain access to the www.example.com web site as an authenticated user, and even as a user with rights to manipulate the CMS. This enables the attacker to modify arbitrary site content, and even to upload custom scripts that execute malicious code. The leakage of information pertaining to other websites suggests that the potential for damage could extend to other sites running on the same host. Timeline -------- 17 Jul 2008 Ektron informed of the vulnerability