Published:2011/10/07  Last Updated:2011/10/07

JVN#34980730
A-Form vulnerable in restricting access

Overview

A-Form contains a vulnerability in restricting access permissions.

Products Affected

  • A-Form PC 3.0 and earlier
  • A-Form PC/Mobile 3.0 and earlier
  • A-Form 1.3.5 and earlier
  • A-Form bamboo 1.3.5 and earlier
  • A-Form 2.0.2 and earlier
  • A-Form bamboo 2.0.2 and earlier

Description

A-Form is a plug-in for Movable Type that adds mail forms and survey forms. A-Form contains a vulnerability in restricting access permissions.

Impact

Information managed by A-Form may be altered by a user who does not have administrative privileges.

Solution

Update the Software
Update to the latest version according to the information provided by the developer.

Apply a patch
Apply the appropriate patch according to the information provided by the developer.

Vendor Status

Vendor Link
ARK-Web co., ltd [Important] Security Update - Release of "A-Member PC 3.1" and "A-Form PC/Mobile 3.1" (Japanese only)
How to apply the security patch for 1.3.6, 2.0.3, 3.1 (Japanese only)
Movable Type Plugin - A-Form (Japanese only)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2011.10.07

Measures Conditions Severity
Access Required can be attacked over the Internet using packets
  • High
Authentication login caused to be created by an administrator
  • Low-Mid
User Interaction Required the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls)
  • Mid-High

Description of each analysis measures

Credit

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2011-2676
JVN iPedia JVNDB-2011-000078