oss-sec mailing list archives

CVE Request -- Sahana -- v0.6.2.2 -- Authentication bypass via "acl_enable_acl" URLs

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Fri, 19 Mar 2010 11:35:10 +0100

Hi Steve, vendors,

  Christopher showed:
    [1] http://archives.neohapsis.com/archives/bugtraq/2010-03/0156.html

  a deficiency in the way, Sahana disaster management system
  performed user authentication. Visiting a certain URL
  would allow an attacker to view (and potentially modify)
  information, which should be otherwise protected by authentication.

  Upstream bug report:
    [2] http://sourceforge.net/tracker/?func=detail&aid=2970786&group_id=127855&atid=709778

  References:
    [3] http://archives.neohapsis.com/archives/bugtraq/2010-03/0156.html
    [4] http://secunia.com/advisories/39020/

  Affected versions:
    Issue reported against v0.6.2.2. Other versions may be also affected.

  Credit:
    Christopher

Could you allocate a CVE id for this?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- Sahana -- v0.6.2.2 -- Authentication bypass via "acl_enable_acl" URLs Jan Lieskovsky (Mar 19)
- Re: CVE Request -- Sahana -- v0.6.2.2 -- Authentication bypass via "acl_enable_acl" URLs Steven M. Christey (Mar 30)