-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                             
                              @stake, Inc.
                            www.atstake.com
                           Security Advisory


Advisory Name: Vignette Story Server sensitive information
               disclosure
 Release Date: 04/07/2003
  Application: Vignette Story Server v4.1, 6
     Platform: Windows / Unix
     Severity: A remote user can extract session information,
               server side code and other sensitive information
               anonymously
       Author: Ollie Whitehouse (ollie@atstake.com)
Contributions: Florian Walther (scusi@xs4all.nl>)
               Simon Kilvington (si.kay@bigfoot.com)
Vendor Status: Vendor notified, Patch available
CVE Candidate: CAN-2002-0385
    Reference: www.atstake.com/research/advisories/2003/a040703-1.txt


Overview:

        Vignette's Story Server is a web interface to Vignette's
content management suite of applications that operates on a variety
of platforms and web server technologies.

Vignette Story Server allows the publication of both static and
dynamic content. The dynamic pages are created using a TCL[1]
Interpreter. There exists vulnerability within the TCL interpreter
used that allows 'dumping' of the stack of the current running TCL
process when generating dynamic pages.

This vulnerability results in an attacker being able to extract
information about other users sessions, server side code and
other sensitive information.

This vulnerability has been verified on Vignette Story Server v4.1
and v6.0.


Description:

        Vignette supports a vast range of dynamic content via it's
content management system. It allows the use of TCL code to interact
with databases, generate cookies, and wide range of other functions.

When a request is made to a dynamic page which accepts user input
there exists an issue when a large number of " and > characters are
input to the TCL interpreter. The effect is that the TCL interpreter
will crash returning to the user the data that was on the stack at
the current time.

- From @stake's testing it has been observed the most likely way to
generate the crash is a with a combination of around 214 " and >
characters. Contained below is an example URL that if populated
would return a large amount of data.

https://www.example.co.uk/securelogin/1,2345,A,00.html?Errmessage
="x214>x214   [line wrapped]

If above URL is submitted when there is a large number of users
performing dynamic functions within the site (i.e. logging in or
performing a search) then a large amount of sensitive TCL code will
be available upon the stack and send to the attacker.

It should be noted that this vulnerability can be exploited
continuously without any effect on the availability of the site in
question, thus allowing an attacker to effectively wait until they
have enough data to achieve their end goal.


Timeline*:

Jan. 28, 2003 Email contact at Vignette on 28th with details of
              vulnerability. Recieve questions regarding
              vulnerability and respond accordingly.

February 2003 Vignette confirms they have not been able to reproduce
              @stake calls Vignette contact to explain vulnerability,
              understand the product is not affected in it's latest
              incarnation due to it being Java rather than TCL.
              Contact says they would like affected customers to
              upgrade. @stake offers via voice and e-mail to
              reproduce issue if Vignette provide Internet accessible
              host. @stake conducts another phone call with Vignette
              to explain the issue and discuss possible alternatives
              and solutions @stake has been suggesting to clients.   

March 2003    @stake contact Vignette requesting an update.
              Vignette states that questions regarding this issue
              should be submitted by affected customers via their
              Vignette support contract.

April 4, 2002 Vignette responds that the issue has been fixed and
              supplies patch information.

* It should be noted that @stake customers were effected by this
  issue and our first priority was to not put them at increased risk.


Vendor Response:

The problem is fixed and a patch is available.  Any Vignette customer
who has a security concern with their Vignette deployment should
contact Vignette Technical Support through normal channels.  Those
channels include <mailto:support@vignette.com> support@vignette.com,
contacting Technical Support in the Americas at 1 888 846 6907,
Europe, Middle East and Africa 44(0)1628772299 and Asia Pacific
Australia 1 800 110 118 Asia Pacific New Zealand, Singapore, Hong
Kong, Taiwan & China: +800 110 11811 Asia Pacific All Others
61.2.9455.5099.  Additionally, customers have the following resources
available at
<http://support.vignette.com/VOLSS/KB/View/1,,5360,00.html>
http://support.vignette.com/VOLSS/KB/View/1,,5360,00.html


@stake Recommendations:

If you are you have a dynamic application that receives user input
you should install the patch.

Alternatively, employ string length checks upon user submitted
data. @stake has discovered requests under about 100 bytes rarely
yield any sensitive information.    


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has
assigned the following names to these issues.  These are candidates
for inclusion in the CVE list (http://cve.mitre.org), which
standardizes names for security problems.

 CAN-2002-0385 Story Server sensitive information disclosure


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc


@stake is currently seeking application security experts to fill
several consulting positions.  Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing.  Please send resumes to jobs@atstake.com.


Copyright 2003 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPpGF60e9kNIfAm4yEQJPvwCg6FqAgKrJU9hvoVFTUQ5mfPIEqaMAoKI7
YSizsjE3r94kt4X7iSXIlwVQ
=zkG0
-----END PGP SIGNATURE-----