<<< Date Index >>>     <<< Thread Index >>>

S21Sec-032-en: Vulnerability in Fatwire Content Server



##############################################################

                     - S21Sec Advisory -

##############################################################

    Title:   FatWire Content Server
       ID:   S21SEC-032-en
 Severity:   High - Administrative Privileges Escalation
  History:   31.May.2006 Vulnerability discovered
             05.Jun.2006 Fixed (patch available)
    Scope:   FatWire Content Server Portal
Platforms:   Any
   Author:   Alberto Moro (amoro@xxxxxxxxxx)
      URL:   http://www.s21sec.com/avisos/s21sec-032-en.txt
  Release:   Public

[ SUMMARY ]

The FatWire Content Server product suite enables companies to deploy a wide
variety and large quantity of Web sites and content-centric applications
that build customer loyalty, reach new markets, strengthen brand identity,
boost productivity, and reduce costs.


[ AFFECTED VERSIONS ]

Following tested versions are affected with this issue:

        - FatWire Content Server 5.5.0 


[ DESCRIPTION ]

It's possible to obtain administrative privileges in the portal without
previous registration or validation.


[ WORKAROUND ]

Upgrade FatWire CS to the last version or apply the patch provided by
vendor.


[ ACKNOWLEDGMENTS ]

These vulnerabilities have been found and researched by:

        - Alberto Moro <amoro@xxxxxxxxxx> S21Sec

With thanks to:

        - Leonardo Nve <lnve@xxxxxxxxxx> S21Sec
        

[ REFERENCES ]

* FatWire Content Server
  http://www.fatwire.com/cs/Satellite/CSPage_US.html

* S21Sec
  http://www.s21sec.com