Sitecore CMS Security Databases 信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1183334 漏洞类型 其他
发布时间 2009-03-24 更新时间 2009-03-24
CVE编号 CVE-2009-1055 CNNVD-ID CNNVD-200903-389
漏洞平台 N/A CVSS评分 4.0
|漏洞来源
https://cxsecurity.com/issue/WLB-2009030039
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-389
|漏洞详情
SitecoreCMS是一款网站内容管理系统工具。SitecoreCMS5.3.1rev.071114版本的网络服务中存在未明漏洞。远程验证用户可以借助与SOAP和XML请求有关的未知向量,活得对安全数据库的访问权,并获得管理和用户凭证。
|漏洞EXP
 Title: 	
Sitecore web service information disclosure

CVE Identifier:
____________

Credit: 
National Australia Bank's Security Assurance Team.
The vendor was advised of this vulnerability prior to its public release.  National Australia Bank adheres to the "Guidelines for Security Vulnerability Reporting and Response V2.0" document when issuing security advisories.  

Class: 	
Information Disclosure
Privilege Escalation

Remote:	
Yes

Local:	
Yes


Vulnerable:	
Sitecore.NET 5.3.1 (rev. 071114)  other versions may also be vulnerable. 

Not Vulnerable:	


Vendor:	
Sitecore

Discussion:
National Australia Bank's Security Assurance Team have identified a vulnerability in the Visual Sitecore Service, part of the Sitecore CMS application, that allows low privileged users to gain access to administrative and other users credentials.

Exploit:
No exploit code provided.   Simple SOAP/XML queries are all that is required.

Solution:
Apply patch V5.3.2 rev. 090212


References:  
Vendor Advisory http://sdn5.sitecore.net/Products/Sitecore%20V5/Sitecore%20CMS%205,-d-,3/ReleaseNotes/V5,-d-,3,-d-,2/ChangeLog.aspx
|参考资料

来源:XF
名称:sitecore-web-service-info-disclosure(49298)
链接:http://xforce.iss.net/xforce/xfdb/49298
来源:VUPEN
名称:ADV-2009-0753
链接:http://www.vupen.com/english/advisories/2009/0753
来源:BID
名称:34162
链接:http://www.securityfocus.com/bid/34162
来源:BUGTRAQ
名称:20090317Sitecore.NET5.3.x-webserviceinformationdisclosure
链接:http://www.securityfocus.com/archive/1/archive/1/501929/100/0/threaded
来源:SECUNIA
名称:34356
链接:http://secunia.com/advisories/34356
来源:sdn5.sitecore.net
链接:http://sdn5.sitecore.net/Products/Sitecore%20V5/Sitecore%20CMS%205,-d-,3/ReleaseNotes/V5,-d-,3,-d-,2/ChangeLog.aspx