Actually, I retested and this only works with Administrator rights (which is what your default account is) and using "at" is a known method to RunAs SYSTEM in this case. I've updated the description accordingly.
Actually, someone would have known about this. In particular, the person that sent us this information. Even once fixed, it is important that this information is conveyed to your users as they may not update if their vendor quietly fixes this without noting it as a security issue.
Thanks for the note. Unfortunately, we are not always able to verify everything that comes down the wires, though I have reached out to the secpod team to see if I can find out any additional information/proof regarding their claims.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
All Comments
This should be a good conference.
Updated per the notification from the vendor and the researcher to note the version as 0.2.3.
Thanks for the note butterback. Do you have a demo version of this software online? Are you using a minted nonce to mitigate CSRF?
Eyup - any response?
No luck eh?
Loses UNIX permissions? What does that mean exactly? What happens if the system is configured to allow PHP uploads, does the issue persist?
Any comment on the cross site request forgery issue? Thanks.
Follow up story here: packetstormsecurity.com/news/view/22727/Fac…
Sorry about that, it's been fixed.
Actually, I retested and this only works with Administrator rights (which is what your default account is) and using "at" is a known method to RunAs SYSTEM in this case. I've updated the description accordingly.
Worked for us earlier. Will re-verify later today and will re-comment.
Updated. Thanks for noting the change.
Updated it to note as such. Thanks for letting us know.
Actually, someone would have known about this. In particular, the person that sent us this information. Even once fixed, it is important that this information is conveyed to your users as they may not update if their vendor quietly fixes this without noting it as a security issue.
@valentin: we're looking into seeing what we can do about the comment thing.
As an aside, both secunia and exploit-db *have* posted this finding regarding openEngine.. :)
packetstormsecurity.org/files/view/95910/sa…
www.exploit-db.com/exploits/15557
It's about time. I was getting tired of having to walk around the corner.
Thanks for the note. Unfortunately, we are not always able to verify everything that comes down the wires, though I have reached out to the secpod team to see if I can find out any additional information/proof regarding their claims.