Home page logo

webappsec logo WebApp Sec mailing list archives

Ektron CMS Take Over - Hijacking Accounts
From: Mark Litchfield <mark () securatary com>
Date: Thu, 30 Jan 2014 01:08:44 -0800

I have detailed a vulnerability within Ektron CMS that allows an unauthenticated user to hijack any account. The clear targets of choice for this CMS would be the builtin or admin account.

Whilst I found this issue back in 2012, it appears that around 65% are still vulnerable and should be patching their systems. I did notify Ektron about this and I know a patch was made, but I did not bother releasing an advisory. Why now... Way to many sites have still not updated, this could be in part because it appears there is no mention of the issue on Ektrons site. Security issues are always a good incentive to adopt patches. The other reason being, I have a new vulnerability in their fix and I will follow up with this shortly.

As usual, full details can be found here with Screen shots - http://www.securatary.com/vulnerabilities

All the best


This list is sponsored by Cenzic
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus

  By Date           By Thread  

Current thread:
  • Ektron CMS Take Over - Hijacking Accounts Mark Litchfield (Feb 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]