[VIM] Urchin Report.CGI Authorization Bypass Vulnerability
George A. Theall
theall at tenablesecurity.com
Sat Oct 13 11:12:04 UTC 2007
FWIW, the authorization bypass issue in Urchin reported by MustLive
(http://securityvulns.ru/Sdocument90.html) and covered by CVE-2007-5113/
Bugtraq 26037 seems to be a feature rather than a vulnerability. At
least in version 5.7.03, an administrator must enable "Direct Report
Linking'' (under ''Settings'', ''Access Settings''). It is disabled by
default, and the online help for this setting says:
"Enabling this feature allows you to circumvent authentication
and create links directly to reports. This can be useful for
systems that are already password or network protected"...
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list