Ravens PHP Scripts

WebGUI Asset Deletion Vulnerability
Date: Monday, January 29, 2007 @ 11:56:30 CET
Topic: Security


SECUNIA ADVISORY ID: SA23981

VERIFY ADVISORY: http://secunia.com/advisories/23981/

CRITICAL: Moderately critical

IMPACT: Manipulation of data

SOFTWARE: WebGUI 7.x - http://secunia.com/product/13252/

DESCRIPTION: Lucas Bartholemy has reported a vulnerability in WebGUI, which can be exploited by malicious users to delete assets.


The vulnerability is caused due to the "www_purgeList()" method not correctly checking the permissions of a user when deleting an asset. The vulnerability is reported in all 7.x versions prior to 7.3.8.

SOLUTION: Update to version 7.3.8.

PROVIDED AND/OR DISCOVERED BY: The vendor credits Lucas Bartholemy.

ORIGINAL ADVISORY:
http://www.plainblack.com/getwebgui/advisories/security-defect-discovered-in-7.x-versions
http://sourceforge.net/project/shownotes.php?release_id=481584






This article comes from Ravens PHP Scripts
http://www.ravenphpscripts.com

The URL for this story is:
http://www.ravenphpscripts.com/modules.php?name=News&file=article&sid=2702