Vulnerabilité CVE-2008-3671
Vulnerabilité CVE-2008-3671
MyReview, http://myreview.intellagence.eu/
Bonjour à tous.
Cela fait plusieurs jours que c'est en cours, mais j'ai décidé de la publier aujourd'hui, vu que je pars en vacances ce soir.
Enjoy !
Le numéro CVE est en cours de validation donc c'est un candidate pour le moment.
The MyReview access control system is flawed and can be bypassed to retrieve sensitive information
Incorrect management of the submission and camera ready versions of submitted papers to the MyReview system lets unintended users download these documents. This information leakage can be used to illegally retrieve sensitive or licensed documents.
The MyReview web application is an open-source web application used in the research community To manage the paper submission and paper review phases of conferences. Based on the well known PHP+MySQL framework and distributed under the GNU General Public License, it has been used by thousands of conferences worldwide.
Incorrect management of the submission and camera ready versions of submitted papers to the MyReview system lets unintended users download these documents. This flaw bypass all the access controls implemented by the MyReview developers. This information leakage is critical as the documents submitted to the conferences, and mostly at the submission phase, contain sensitives information researchers may not want to be publicized.
Besides, this flaw can be used by attackers to retrieve at will the final version of the documents, after the conferences is done. However, these final versions may be not free, as it is often the case for conferences.
More information about this flaw will be publicized later on, as it could be used to attack existing deployment of the MyReview system.
Exploitation of this vulnerability could lead to the lost of the sensitive information managed by MyReview: submission and camera ready version of the submitted paper may be downloaded
The Laboratoire de Recherche en Informatique (LRI), which provide MyReview has been contacted and they receive a patch I made for this vulnerability. However, to avoid unpatched website attacks (which are very easy to do), the author decided to let the LRI making the decision about how to efficiently performed the update. Please see your vendor's advisory for updates and mitigation capabilities. A good point would be to subscribe to MyReview newsletter, if not done yet.
| Affected Platforms | Any |
| Affected Software | MyReview, http://myreview.intellagence.eu/ |
| Affected Versions | Any (prior or equal to 1.9.9, as 2.0 is still in beta) |
| Severity | High |
| Authentication | None |
| Access | Distant (Internet) |
EDIT 12 sep 2008
Some security websites took my advisory into account, though the two ones I send emails to did not do ...Here are the references
http://secunia.com/advisories/31190/ (EN)
http://www.securityfocus.com/archive/1/494567/30/510/threaded (EN)
http://seclists.org/bugtraq/2008/Jul/0173.html (EN)
https://www.securinfos.info/alertes-bulletins-securite/20080722-MyReview-Exposition-de-Donnees-Sensibles.php (FR)
// END of EDIT
This vulnerability was reported by Julien A. Thomas.
TELECOM Bretagne homepage: http://perso.telecom-bretagne.eu/julienthomas/
Personal homepage: http://www.julienthomas.eu/
| Date Discovered | 16/07/2008 |
| Date Public | 18/07/2008 |
| Date First Published | 18/07/2008 |
| Date Last Updated | 18/07/2008 |
| CERT Advisory |
|
| CVE Name (candidate) | CVE-2008-3671 |