Westpoint Security Advisory
---------------------------

Title:         Ektron CMS400.NET Cookie Manipulation Vulnerability
Risk Rating:   Medium
Platforms:     ASP.net (Windows)
Discovered by: Richard Moore <rich@westpoint.ltd.uk> and Rohan Stelling
Author:        Paul Jones <paul.jones@westpoint.ltd.uk>
Date:          06 Oct 2009
Advisory ID#:  wp-09-0007
URL:           http://www.westpoint.ltd.uk/advisories/wp-09-0007.txt
CVE:          

Overview
--------

The Ektron CMS 400.NET application appears to use a number of different
mechanisms to verify if a user has an authenticated session depending on the
particular page being accessed. One of these mechanisms utilises values of
'user_id' in a cookie named 'ecm' to determine if a user has
successful authenticated. This cookie can be manipulated in order to gain
unintended privileges.


Details
-------

Accessing the following URL with the default cookie produces the error message
"Workspace for user does not exists".

http://www.example.com/WorkArea/MyWorkSpace/MyDocuments.aspx

Accessing the same page after manipulating the 'emc' cookie such that
key/value pair user_id=1, produces no such error.  Likewise it was possible to
exploit this vulnerability to access the details of other users. It is likely
that the vulnerability can be used to modify the details of users. By
accessing the page below with a cookie containing modified values for the
user_id, it was possible to extract the names and email addresses of the
site's users.

http://www.example.com/WorkArea/edituserprofile.aspx


Impact
------

This vulnerability allows an attacker to steal (and possibly modify) user
information, including passwords. These details could be sold to spammers or
used in a social engineering scam. Additionally it would be possible to steal
credentials, and ultimately compromise the site.


Timeline
--------

17 Jul 2008	Ektron informed of the vulnerability

			
Designed & Built by e3creative