Title: MetaDot Corporation MetaDot Portal Server Multiple Vulnerabilities
Severity: HIGH
Description:
MetaDot Portal Server is an open source portal software which provides content management, portal, and online database applications. It is used to create web portals and websites.
A number of vulnerabilities have been found in MetaDot Corporation's MetaDot Portal Server. Due to a failure of the software to properly validate user input, an attacker may be able to carry out SQL injection attacks that may lead to data corruption data or force the server to disclose system configuration information. Cross-site scripting vulnerabilities have also been identified that are related to a similar issue.
MetaDot portal server is vulnerable to a SQL injection vulnerability. This vulnerability may allow an attacker to destroy or corrupt data on vulnerable systems. It has also been reported that this issue may disclose server configuration information. An attacker may exploit this vulnerability by issuing a specially crafted URI to the MetaDot server. This is due to the software failing to properly validate the values assigned to URL variables.
The values stored in the 'key', 'id' and 'iid' variables defined in the URI are used in an SQL statement and may allow a user to inject SQL commands. It has also been reported that this issue also produces a cross-site scripting vulnerability, as an attacker can force the error message to execute a script supplied in the variable. Furthermore, the error message issue by a failed SQL command reveals a significant amount of information to the attacker as it is displayed in the error message. This information includes system configuration details such as the current perl version as well as web server path.
Aside from the above-mentioned cross-site scripting vulnerabilities, there are a number of other URIs that will produce similar effects. These issues are also due to improper validation of variables specified in the URI.
MetaDot Portal Server versions 5.6.5.4 b5 and prior have been reported to be vulnerable to these issues.
These issues are currently undergoing further analysis. This cumulative BID will be separated into individual entries when analysis is complete.
Affected Products:
- MetaDot MetaDot Portal Server 5.5.2.1
- MetaDot MetaDot Portal Server 5.6.4
- MetaDot MetaDot Portal Server 5.6.4.1
- MetaDot MetaDot Portal Server 5.6.4.2
- MetaDot MetaDot Portal Server 5.6.4.3
- MetaDot MetaDot Portal Server 5.6.5
- MetaDot MetaDot Portal Server 5.6.5.1
- MetaDot MetaDot Portal Server 5.6.5.2
- MetaDot MetaDot Portal Server 5.6.5.3
- MetaDot MetaDot Portal Server 5.6.5.3.1
- MetaDot MetaDot Portal Server 5.6.5.4b5
References:
- MetaDot: Home Page
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
