Vignette and StoryServer products contain a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered due to a lack of validation of user credentials on the Vignette Legacy Tool, allowing an attacker to inject arbitrary SQL SELECT statements over any SQL table accesible from the Vignette user, resulting in a loss of confidentiality.
Classification
Location:
Remote/Network Access Required
Attack Type:
Input Manipulation,
Misconfiguration
Impact:
Loss of Confidentiality
Exploit:
Exploit Available
Technical
One of the default utilities installed under the /vgn directory, the Vignette Legacy Tool, has user restrictions enforced by the [ NEEDS LOGIN ] directive in the main "/vgn/legacy/edit" template, however actions from this template are performed by another template ("/vgn/legacy/save") that lacks the same restrictive directive, allowing a remote attacker to query the database for information using SQL Select's. Note that Vignette has stated that "this template is a sample, which cannot be launched to a live CDS unless explicitly specified.".
Solution
For an upgrade or patch information, Vignette costumers should contact Technical Support. It is also possible to correct the flaw by implementing the following workaround(s):
Insert a [ NEEDS LOGIN ] directive in the top of the source code for the /vgn/legacy/save template.
s21sec.com - S 2 1 S E C