From advisories@atstake.com Wed Apr 9 01:47:43 2003 From: "@stake Advisories" To: vulnwatch@vulnwatch.org Date: Mon, 07 Apr 2003 10:09:14 -0400 Subject: [VulnWatch] Vignette Story Server sensitive information disclosure (a040703-1) [ The following text is in the "ISO-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake, Inc. www.atstake.com Security Advisory Advisory Name: Vignette Story Server sensitive information disclosure Release Date: 04/07/2003 Application: Vignette Story Server v4.1, 6 Platform: Windows / Unix Severity: A remote user can extract session information, server side code and other sensitive information anonymously Author: Ollie Whitehouse (ollie@atstake.com) Contributions: Florian Walther (scusi@xs4all.nl>) Simon Kilvington (si.kay@bigfoot.com) Vendor Status: Vendor notified, Patch available CVE Candidate: CAN-2002-0385 Reference: www.atstake.com/research/advisories/2003/a040703-1.txt Overview: Vignette's Story Server is a web interface to Vignette's content management suite of applications that operates on a variety of platforms and web server technologies. Vignette Story Server allows the publication of both static and dynamic content. The dynamic pages are created using a TCL[1] Interpreter. There exists vulnerability within the TCL interpreter used that allows 'dumping' of the stack of the current running TCL process when generating dynamic pages. This vulnerability results in an attacker being able to extract information about other users sessions, server side code and other sensitive information. This vulnerability has been verified on Vignette Story Server v4.1 and v6.0. Description: Vignette supports a vast range of dynamic content via it's content management system. It allows the use of TCL code to interact with databases, generate cookies, and wide range of other functions. When a request is made to a dynamic page which accepts user input there exists an issue when a large number of " and > characters are input to the TCL interpreter. The effect is that the TCL interpreter will crash returning to the user the data that was on the stack at the current time. - From @stake's testing it has been observed the most likely way to generate the crash is a with a combination of around 214 " and > characters. Contained below is an example URL that if populated would return a large amount of data. https://www.example.co.uk/securelogin/1,2345,A,00.html?Errmessage ="x214>x214 [line wrapped] If above URL is submitted when there is a large number of users performing dynamic functions within the site (i.e. logging in or performing a search) then a large amount of sensitive TCL code will be available upon the stack and send to the attacker. It should be noted that this vulnerability can be exploited continuously without any effect on the availability of the site in question, thus allowing an attacker to effectively wait until they have enough data to achieve their end goal. Timeline*: Jan. 28, 2003 Email contact at Vignette on 28th with details of vulnerability. Recieve questions regarding vulnerability and respond accordingly. February 2003 Vignette confirms they have not been able to reproduce @stake calls Vignette contact to explain vulnerability, understand the product is not affected in it's latest incarnation due to it being Java rather than TCL. Contact says they would like affected customers to upgrade. @stake offers via voice and e-mail to reproduce issue if Vignette provide Internet accessible host. @stake conducts another phone call with Vignette to explain the issue and discuss possible alternatives and solutions @stake has been suggesting to clients. March 2003 @stake contact Vignette requesting an update. Vignette states that questions regarding this issue should be submitted by affected customers via their Vignette support contract. April 4, 2002 Vignette responds that the issue has been fixed and supplies patch information. * It should be noted that @stake customers were effected by this issue and our first priority was to not put them at increased risk. Vendor Response: The problem is fixed and a patch is available. Any Vignette customer who has a security concern with their Vignette deployment should contact Vignette Technical Support through normal channels. Those channels include support@vignette.com, contacting Technical Support in the Americas at 1 888 846 6907, Europe, Middle East and Africa 44(0)1628772299 and Asia Pacific Australia 1 800 110 118 Asia Pacific New Zealand, Singapore, Hong Kong, Taiwan & China: +800 110 11811 Asia Pacific All Others 61.2.9455.5099. Additionally, customers have the following resources available at http://support.vignette.com/VOLSS/KB/View/1,,5360,00.html @stake Recommendations: If you are you have a dynamic application that receives user input you should install the patch. Alternatively, employ string length checks upon user submitted data. @stake has discovered requests under about 100 bytes rarely yield any sensitive information. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2002-0385 Story Server sensitive information disclosure @stake Vulnerability Reporting Policy: http://www.atstake.com/research/policy/ @stake Advisory Archive: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc @stake is currently seeking application security experts to fill several consulting positions. Applicants should have strong application development skills and be able to perform application security design reviews, code reviews, and application penetration testing. Please send resumes to jobs@atstake.com. Copyright 2003 @stake, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPpGF60e9kNIfAm4yEQJPvwCg6FqAgKrJU9hvoVFTUQ5mfPIEqaMAoKI7 YSizsjE3r94kt4X7iSXIlwVQ =zkG0 -----END PGP SIGNATURE-----