<<< Date Index >>>     <<< Thread Index >>>

Vulnerability CVE-2008-3671 - MyReview's vulnerability in the access control system



Incorrect management of the submission and camera ready versions of
submitted papers to the MyReview system lets unintended users download
these documents. This information leakage can be used to illegally
retrieve sensitive or licensed documents.

I. Description
The MyReview web application is an open-source web application used in
the research community To manage the paper submission and paper review
phases of conferences. Based on the well known PHP+MySQL framework and
distributed under the GNU General Public License, it has been used by
thousands of conferences worldwide.
Incorrect management of the submission and camera ready versions of
submitted papers to the MyReview system lets unintended users download
these documents. This flaw bypass all the access controls implemented
by the MyReview developers. This information leakage is critical as
the documents submitted to the conferences, and mostly at the
submission phase, contain sensitives information researchers may not
want to be publicized.
Besides, this flaw can be used by attackers to retrieve at will the
final version of the documents, after the conferences is done.
However, these final versions may be not free, as it is often the case
for conferences.
More information about this flaw will be publicized later on, as it
could be used to attack existing deployment of the MyReview system.

II. Impact
Exploitation of this vulnerability could lead to the lost of the
sensitive information managed by MyReview: submission and camera ready
version of the submitted paper may be downloaded

III. Solution
The Laboratoire de Recherche en Informatique (LRI), which provide
MyReview has been contacted and they receive a patch I made for this
vulnerability. However, to avoid unpatched website attacks (which are
very easy to do), the author decided to let the LRI  making the
decision about how to efficiently performed the update. Please see
your vendor's advisory for updates and mitigation capabilities. A good
point would be to subscribe to MyReview newsletter, if not done yet.

Version and platform Affected
Affected Platforms - Any
Affected Software - MyReview, http://myreview.intellagence.eu/
Affected Versions - Any (prior or equal to 1.9.9, as 2.0 is still in beta)
Severity - High

Requirements
Authentication - None
Access - Distant (Internet)

References
<to be upgraded later on>

Credit
This vulnerability was reported by Julien A. Thomas.
Contact : julien.thomas@xxxxxxxxxxxxxxxxxxx
TELECOM Bretagne homepage: http://perso.telecom-bretagne.eu/julienthomas/
Personal homepage: http://www.julienthomas.eu/

Other Information
Date Discovered - 16/07/2008
Date Public - 18/07/2008
Date First Published - 18/07/2008
Date Last Updated - 18/07/2008
CVE Name (candidate) - CVE-2008-3671

PS: sorry if this message was sent twice put I got some mailer-daemons
rejects ...

Julien