Amiro.CMS 5.4.0.0 root folder disclosure vulnerability

2009.10.20
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-20


Ogólna skala CVSS: 5/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Brak
Wpływ na dostępność: Brak

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ [ONSEC-09-005] Amiro.CMS root folder disclosure Objective: Amiro CMS <= 5.4.0.0 Type: Disclosure of ways Threat: Medium Date Discovered: 01.07.2009 Date of notification Developer: 01.07.2009 Released fixes: 06.10.2009 Author: Vladimir Vorontsov OnSec Russian Security Group (onsec [dot] ru) Description: A vulnerability exists due to improper handling-line user name to log into the administrative console. When you enter your user name%%% attacker can gain information on the full path when you install applications, as well as some of the names of internal variables. In consequence of the fact that the function quits, the administrator does not know of the compromise of the system through the module, "History of logins. Implementation: In the administrative console login prompt, enter the user name: %%% and will realize the login attempt ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ References: (on Russian) http://onsec.ru/vuln?id=11 http://onsec.ru/vuln?id=12

Referencje:

http://xforce.iss.net/xforce/xfdb/53894
http://www.vupen.com/english/advisories/2009/2967
http://www.onsec.ru/vuln?id=12
http://secunia.com/advisories/37065
http://packetstormsecurity.org/0910-exploits/ONSEC-09-005.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top