Westpoint Security Advisory

Title:         Ektron CMS400.NET Insecure Access Control
Risk Rating:   Medium
Platforms:     ASP.net (Windows)
Discovered by: Richard Moore <rich@westpoint.ltd.uk> and Rohan Stelling
Author:        Paul Jones <paul.jones@westpoint.ltd.uk>
Date:          06 Oct 2009
Advisory ID#:  wp-09-0009
URL:           http://www.westpoint.ltd.uk/advisories/wp-09-0009.txt


Administrative elements of the Ektron CMS400.Net application were found to be
accessible by both unauthenticated users and anonymously created user


The CMS fails to sufficiently segregate users who simply created an account on
the www.example.com website from users created for the purpose of managing the
site content. For example, by navigating to the URL below an unauthenticated
attacker could enumerate the names and email address of the site's users:


The http://www.example.com/WorkArea/ directory and subsequent subdirectories
on the www.example.com website were found to contain a large number of scripts
that are accessible to users who simply created an account on the site, and
even users with no credentials at all. However, due to time constraints, it
was not possible to determine what information or operations are possible
though each of these pages. It is likely that some of these pages might
provide additional resources that need to be restricted.


A number of pages containing sensitive information are accessible by anyone
who registers with the site. In addition, some sensitive pages are accessible
by users who have not registered at all.


17 Jul 2008	Ektron informed of the vulnerability

Designed & Built by e3creative