Westpoint Security Advisory --------------------------- Title: Ektron CMS400.NET Cookie Manipulation Vulnerability Risk Rating: Medium Platforms: ASP.net (Windows) Discovered by: Richard Moore and Rohan Stelling Author: Paul Jones Date: 06 Oct 2009 Advisory ID#: wp-09-0007 URL: http://www.westpoint.ltd.uk/advisories/wp-09-0007.txt CVE: Overview -------- The Ektron CMS 400.NET application appears to use a number of different mechanisms to verify if a user has an authenticated session depending on the particular page being accessed. One of these mechanisms utilises values of 'user_id' in a cookie named 'ecm' to determine if a user has successful authenticated. This cookie can be manipulated in order to gain unintended privileges. Details ------- Accessing the following URL with the default cookie produces the error message "Workspace for user does not exists". http://www.example.com/WorkArea/MyWorkSpace/MyDocuments.aspx Accessing the same page after manipulating the 'emc' cookie such that key/value pair user_id=1, produces no such error. Likewise it was possible to exploit this vulnerability to access the details of other users. It is likely that the vulnerability can be used to modify the details of users. By accessing the page below with a cookie containing modified values for the user_id, it was possible to extract the names and email addresses of the site's users. http://www.example.com/WorkArea/edituserprofile.aspx Impact ------ This vulnerability allows an attacker to steal (and possibly modify) user information, including passwords. These details could be sold to spammers or used in a social engineering scam. Additionally it would be possible to steal credentials, and ultimately compromise the site. Timeline -------- 17 Jul 2008 Ektron informed of the vulnerability