[CVE-2013-2638] CTERA C200 – Access to ConfigurationTab as users
By: Luigi Vezzoso | #CVE #vulnerability
Some CTERA cloud attached storage are vulnerable to Direct Object References permitting some information disclosure to authenticated user (with no administration permission). For example a user can obtain the full list of users with their emails etc.
CTERA R&D had solved this issue into 3.2.47 firmware release. So this issue must affect just version prior 3.2.47.
It’s not a critical vulnerability because usually this appliances are used into a company and or/corporate environment so the user info are often available to all. If this appliances were used to provide services to external users this can be a risky vulnerability.
Steps for reproduce the issue:
- Login into appliances with standard user
- After loggedin. Change the URL parameter to ConfigTab
- As you can see the standard user can access to configuration interface of appliance.
[CVE-2013-2638] Date: 11/03/2013