search menu icon-carat-right cmu-wordmark

CERT Coordination Center

BlogEngine.net information disclosure vulnerability

Vulnerability Note VU#553166

Original Release Date: 2014-01-02 | Last Revised: 2014-01-02

Overview

BlogEngine.net 2.8.0.0 and earlier versions contain an information disclosure vulnerability which could allow an attacker to gain access to credentials.

Description

CWE-200: Information Exposure

BlogEngine.net 2.8.0.0 and earlier contain an information disclosure vulnerability which could allow an attacker to gain access to credential information. BlogEngine.net allows unauthenticated users to view system configuration files (sioc.axd) which contain username and hashed passwords of the BlogEngine.net site.

Impact

An unauthenticated remote attacker could gain access to credential information on the BlogEngine.net system.

Solution

We are currently unaware of a practical solution to this problem.

Restrict access to the sioc.axd configuration file

Restrict access to the sioc.axd configuration file to trusted networks. If possible, configure management and transit networks for separate VLANs, or restrict access to the device using IP access lists.

Vendor Information

553166
 
Affected   Unknown   Unaffected

BlogEngine

Updated:  December 10, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N
Temporal 3.8 E:U/RL:U/RC:UC
Environmental 1.1 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Ali Hussein of Help AG Middle East for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2013-6953
Date Public: 2013-12-13
Date First Published: 2014-01-02
Date Last Updated: 2014-01-02 12:22 UTC
Document Revision: 16

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.