Westpoint Security Advisory

Title:         Ektron CMS400.NET Information Disclosure Vulnerability
Risk Rating:   High
Platforms:     ASP.net (Windows)
Discovered by: Richard Moore <rich@westpoint.ltd.uk> and Rohan Stelling
Author:        Paul Jones <paul.jones@westpoint.ltd.uk>
Date:          06 Oct 2009
Advisory ID#:  wp-09-0006
URL:           http://www.westpoint.ltd.uk/advisories/wp-09-0006.txt


The Ektron CMS provides unauthenticated access to a diagnostics page that
contains sensitive information about the www.example.com website and other
sites on the same server.


The sensitive information includes:

* The details required to take over the session of an authenticated user
  (including site administrators)
* details of the software versions in use
* information
* about the security settings that have been applied.

The information includes the session identifier of the session that was in use
when errors occur. By using this information an attacker can hijack the
session of another user, effectively gaining all the rights of that user.

A further concern is that the information disclosed does not appear to be
limited to the www.example.com website itself. For example during our testing
we observed messages about sites relating to another brand such as:

Exception thrown from: / 
Access to the path
'D:\data\secondexample\uploadedimages\Diaries\Bloggers\spacer.gif' is denied.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess

This suggests that the sites are sharing the same server and are not fully
isolated from each other. As a result a flaw in one site could have security
implications for the others.


An attacker is able to gain access to the www.example.com web site as an
authenticated user, and even as a user with rights to manipulate the CMS. This
enables the attacker to modify arbitrary site content, and even to upload
custom scripts that execute malicious code. The leakage of information
pertaining to other websites suggests that the potential for damage could
extend to other sites running on the same host.


17 Jul 2008	Ektron informed of the vulnerability

Designed & Built by e3creative