JVN#53465692
baserCMS vulnerable to session management
Overview
baserCMS contains a vulnerability in session management.
Products Affected
- baserCMS 1.6.15 and earlier
Description
baserCMS is an open-source Contents Management System (CMS). baserCMS contains a vulnerability in session management.
Impact
If a web server is hosting several websites, and baserCMS are installed on the respective websites, an administrator of a baserCMS can access baserCMS instance of the other website within the same hosting server.
Solution
Update the software
Update to the latest version according to the information provided by the developer.
Apply a workaround
The following workaround may mitigate the affects of this vulnerability.
- Rewrite app/config/core.php
For more information, refer to the developer's website.
Vendor Status
| Vendor | Link |
| baserCMS | A vulnerability session management (Japanese only) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2012.05.15
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | can be attacked over the Internet using packets |
|
| Authentication | anonymous or no authentication (IP addresses do not count) |
|
| User Interaction Required | the vulnerability can be exploited without an honest user taking any action |
|
| Exploit Complexity | some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls) |
|
Description of each analysis measures
Comment
Authentication to log in other baserCMS is not required in this attack.
Credit
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2012-1248 |
| JVN iPedia |
JVNDB-2012-000043 |