COMMAND

	Vignette Story Server sensitive informations leakage

SYSTEMS AFFECTED

	Vignette Story Server v4.1, 6 Windows / Unix
	
	

PROBLEM

	In @stake, Inc. Security Advisory a040703-1 [ http://www.atstake.com  ],
	Ollie Whitehouse found, with contributions of Florian Walther and  Simon
	Kilvington :
	
	
	Vignette's Story  Server  is  a  web  interface  to  Vignette's  content
	management  suite  of  applications  that  operates  on  a  variety   of
	platforms and web server technologies.
	
	Vignette Story Server allows the publication of both static and  dynamic
	content. The dynamic pages  are  created  using  a  TCL[1]  Interpreter.
	There exists vulnerability within the TCL interpreter used  that  allows
	'dumping'  of  the  stack  of  the  current  running  TCL  process  when
	generating dynamic pages.
	
	This  vulnerability  results  in  an  attacker  being  able  to  extract
	information about other users  sessions,  server  side  code  and  other
	sensitive information.
	
	This vulnerability has been verified on Vignette Story Server  v4.1  and
	v6.0.
	
	
	 Description
	 ===========
	
	Vignette supports a vast range  of  dynamic  content  via  it's  content
	management system. It allows the  use  of  TCL  code  to  interact  with
	databases, generate cookies, and wide range of other functions.
	
	When a request is made to a dynamic page which accepts user input  there
	exists an issue when a large number of " and > characters are  input  to
	the TCL interpreter. The effect is that the TCL interpreter  will  crash
	returning to the user the data that was on  the  stack  at  the  current
	time.
	
	@stake's testing observed that the  most  likely  way  to  generate  the
	crash is a with  a  combination  of  around  214  "  and  >  characters.
	Contained below is an example URL  that  if  populated  would  return  a
	large amount of data.
	
	
	https://www.example.co.uk/securelogin/1,2345,A,00.html?Errmessage="x214>x214
	
	
	If above URL is  submitted  when  there  is  a  large  number  of  users
	performing dynamic  functions  within  the  site  (i.e.  logging  in  or
	performing a search) then a large amount of sensitive TCL code  will  be
	available upon the stack and send to the attacker.
	
	It  should  be  noted  that  this   vulnerability   can   be   exploited
	continuously without any effect on  the  availability  of  the  site  in
	question, thus allowing an attacker to effectively wait until they  have
	enough data to achieve their end goal.
	
	                           

SOLUTION

	The problem is fixed and a patch is  available.  Any  Vignette  customer
	who has  a  security  concern  with  their  Vignette  deployment  should
	contact  Vignette  Technical  Support  through  normal  channels.  Those
	channels include
	
	support@vignette.com,
	contacting Technical Support in the Americas at 1 888 846 6907,
	Europe, Middle East and Africa 44(0)1628772299
	and Asia Pacific Australia 1 800 110 118 
	Asia Pacific New Zealand, Singapore, Hong Kong, Taiwan & China: +800 110 11811
	Asia Pacific All Others 61.2.9455.5099.  
	
	
	Additionally, customers have the following resources available at
	
	
	http://support.vignette.com/VOLSS/KB/View/1,,5360,00.html
	
	
	
	
	 @stake Recommendations
	 =======================
	
	If you are you have a dynamic application that receives user  input  you
	should install the patch.
	
	Alternatively, employ string length checks  upon  user  submitted  data.
	@stake has discovered requests under about 100 bytes  rarely  yield  any
	sensitive information.