Westpoint Security Advisory --------------------------- Title: Ektron CMS400.NET Insecure Access Control Risk Rating: Medium Platforms: ASP.net (Windows) Discovered by: Richard Moore and Rohan Stelling Author: Paul Jones Date: 06 Oct 2009 Advisory ID#: wp-09-0009 URL: http://www.westpoint.ltd.uk/advisories/wp-09-0009.txt CVE: Overview -------- Administrative elements of the Ektron CMS400.Net application were found to be accessible by both unauthenticated users and anonymously created user accounts. Details ------- The CMS fails to sufficiently segregate users who simply created an account on the www.example.com website from users created for the purpose of managing the site content. For example, by navigating to the URL below an unauthenticated attacker could enumerate the names and email address of the site's users: http://www.example.com/WorkArea/MyWorkSpace/FriendSearch.aspx The http://www.example.com/WorkArea/ directory and subsequent subdirectories on the www.example.com website were found to contain a large number of scripts that are accessible to users who simply created an account on the site, and even users with no credentials at all. However, due to time constraints, it was not possible to determine what information or operations are possible though each of these pages. It is likely that some of these pages might provide additional resources that need to be restricted. Impact ------ A number of pages containing sensitive information are accessible by anyone who registers with the site. In addition, some sensitive pages are accessible by users who have not registered at all. Timeline -------- 17 Jul 2008 Ektron informed of the vulnerability