Ektron CMS Take Over - Hijacking Accounts
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Ektron CMS Take Over - Hijacking Accounts
- From: Mark Litchfield <mark@xxxxxxxxxxxxxx>
- Date: Thu, 30 Jan 2014 01:08:44 -0800
- User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
I have detailed a vulnerability within Ektron CMS that allows an
unauthenticated user to hijack any account. The clear targets of choice
for this CMS would be the builtin or admin account.
Whilst I found this issue back in 2012, it appears that around 65% are
still vulnerable and should be patching their systems. I did notify
Ektron about this and I know a patch was made, but I did not bother
releasing an advisory. Why now... Way to many sites have still not
updated, this could be in part because it appears there is no mention of
the issue on Ektrons site. Security issues are always a good incentive
to adopt patches. The other reason being, I have a new vulnerability in
their fix and I will follow up with this shortly.
As usual, full details can be found here with Screen shots -
http://www.securatary.com/vulnerabilities
All the best
Mark
[Index of Archives]
[Linux Security]
[Netfilter]
[PHP]
[Yosemite News]
[Linux Kernel]
