Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27442
HistoryDec 12, 2011 - 12:00 a.m.

OSI Security: Squiz Matrix - User Account Enumeration

2011-12-1200:00:00
vulners.com
11
JSON

Squiz Matrix - User Account Enumeration
http://www.osisecurity.com.au/advisories/squiz-matrix-user-enumeration

Release Date:
12-Dec-2011

Software:
Squiz - Matrix
http://www.squiz.net/

"Squiz Matrix delivers highly flexible and robust business integration
engine and application development tools. It is an evolution, and the
latest release, of the very successful MySource Matrix content
management system."

Versions tested / affected:
Squiz Matrix 4.6.0

Vulnerability discovered:

User Account Enumeration and User Account Information Disclosure

Vulnerability impact:

Low - Remote user accounts can be ascertained, and then possibly used
to further gain access to valid credentials.

Vulnerability information:

Most information in Squiz Matrix CMS, including users, are stored as
entites called "assets". This includes user accounts. By enumerating
all assets, it is possible to determine if the asset is a user account
by viewing the web page of a given asset by looking for the asset name
prepended by a "~" character. Furthermore, if a valid user account
asset is found, under most conditions tested, it is possible to
disclose
the user's account's full name/description by looking at the user's
asset offset by -2.

Example :

http://[target]/?a=1000

You do not have permission to access <i>~test</i>

http://[target]/?a=998

You do not have permission to access <i>Test Account</i>

Recommendation:

Upgrade to version 4.4.5 or 4.6.1

Workaround:

N/A.

Credit:
This vulnerability was disclosed by Troy Rose

Disclosure timeline:
05-Oct-2011 - Discovered during audit.
08-Nov-2011 - Notified vendor. Vendor response.
11-Nov-2011 - Vendor patched in CVS repository.
11-Nov-2011 - Vendor announces release of v4.4.5 and 4.6.1
05-Dec-2011 - Vendor releases v4.4.5 and 4.6.1
12-Dec-2011 - Disclosure.

About OSI Security:

OSI Security is an independent network and computer security auditing
and consulting company based in Sydney, Australia. We provide internal
and external penetration testing, vulnerability auditing and wireless
site audits, vendor product assessments, secure network design,
forensics and risk mitigation services.

We can be found at http://www.osisecurity.com.au/

JSON