PT-2013-6109 · Silverstripe · Silverstripe

Fara Denise Rustein

Published

2013-11-13

Updated

2013-11-13

CVE-2013-6789

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions SilverStripe version 3.0.3

Description The issue allows remote or local attackers to obtain sensitive information by reading web-server access logs, web-server Referer logs, or the browser history. This is due to the support of credentials in a GET request in the security/MemberLoginForm.php file.

Recommendations For SilverStripe version 3.0.3, consider modifying the security/MemberLoginForm.php file to only support credentials in a POST request, or implement an alternative secure method to handle user credentials. As a temporary workaround, restrict access to web-server logs and browser history to minimize the risk of sensitive information disclosure.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2013-6789

Affected Products

Silverstripe

PT-2013-6109 · Silverstripe · Silverstripe

CVE-2013-6789

Weakness Enumeration

Related Identifiers

Affected Products

References · 4