Back to list
OSI Security: Squiz Matrix - User Account Enumeration
Dec 12 2011 02:05AM
Troy Rose (troy osisecurity com au)
Squiz Matrix - User Account Enumeration
Squiz - Matrix
"Squiz Matrix delivers highly flexible and robust business integration
engine and application development tools. It is an evolution, and the
latest release, of the very successful MySource Matrix content
Versions tested / affected:
Squiz Matrix 4.6.0
User Account Enumeration and User Account Information Disclosure
Low - Remote user accounts can be ascertained, and then possibly used
to further gain access to valid credentials.
Most information in Squiz Matrix CMS, including users, are stored as
entites called "assets". This includes user accounts. By enumerating
all assets, it is possible to determine if the asset is a user account
by viewing the web page of a given asset by looking for the asset name
prepended by a "~" character. Furthermore, if a valid user account
asset is found, under most conditions tested, it is possible to
the user's account's full name/description by looking at the user's
asset offset by -2.
You do not have permission to access <i>~test</i>
You do not have permission to access <i>Test Account</i>
Upgrade to version 4.4.5 or 4.6.1
This vulnerability was disclosed by Troy Rose
05-Oct-2011 - Discovered during audit.
08-Nov-2011 - Notified vendor. Vendor response.
11-Nov-2011 - Vendor patched in CVS repository.
11-Nov-2011 - Vendor announces release of v4.4.5 and 4.6.1
05-Dec-2011 - Vendor releases v4.4.5 and 4.6.1
12-Dec-2011 - Disclosure.
About OSI Security:
OSI Security is an independent network and computer security auditing
and consulting company based in Sydney, Australia. We provide internal
and external penetration testing, vulnerability auditing and wireless
site audits, vendor product assessments, secure network design,
forensics and risk mitigation services.
We can be found at http://www.osisecurity.com.au/
[ reply ]
Copyright 2010, SecurityFocus