Vignette and StoryServer /vgn/legacy/save template could allow an attacker to obtain information
| vignette-save-obtain-information (12076) |  Medium Risk |
Description:
Vignette CMS and StoryServer could allow a remote attacker to obtain sensitive information, caused by improper validation of user-supplied cookies by the /vgn/legacy/save template. A remote attacker could create a specially-crafted vgn_creds cookie to bypass the RECORD directive and issue a SQL SELECT statement to obtain sensitive information from the backend database.
Consequences:
Obtain Information
Remedy:
Contact Vignette Technical Support for upgrade or patch information, as listed in S21sec Security Advisory S21SEC-017-en. See References.
References:
- S21sec Security Advisory S21SEC-017-en: Vignette /vgn/legacy/save SQL access.
- VulnWatch Mailing List, Mon May 26 2003 - 19:28:25 CDT: More S21sec Vignette advisories.
- BID-7683: Vignette Unauthorized Legacy Tool Access Vulnerability
- CVE-2003-0399: Vignette StoryServer 4 and 5, Vignette V/5, and possibly other versions allows remote attackers to perform unauthorized SELECT queries by setting the vgn_creds cookie to an arbitrary value and directly accessing the save template.
Platforms Affected:
- Vignette StoryServer 4.0
- Vignette StoryServer 5.0
- Vignette Vignette V5
Reported:
May 26, 2003
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net