Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-2760

Overview

Vulnerability Score 2.1 2.1
CVE Id CVE-2012-2760
Last Modified 04 Apr 2013 11:11:06
Published 25 Jul 2012 03:55:05
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector LOCAL
Access Complexity LOW
Authentication NONE

CVE-2012-2760

Summary

mod_auth_openid before 0.7 for Apache uses world-readable permissions for /tmp/mod_auth_openid.db, which allows local users to obtain session ids.

Vulnerable Systems

Application

  • Findingscience Mod Auth Openid 0.1

  • Findingscience Mod Auth Openid 0.2

  • Findingscience Mod Auth Openid 0.2.1

  • Findingscience Mod Auth Openid 0.3

  • Findingscience Mod Auth Openid 0.4

  • Findingscience Mod Auth Openid 0.5

  • Findingscience Mod Auth Openid 0.6


References

MISC - https://github.com/bmuller/mod_auth_openid/pull/30

CONFIRM - https://github.com/bmuller/mod_auth_openid/blob/master/ChangeLog

OSVDB - 82139

EXPLOIT-DB - 18917

SECUNIA - 49247

MISC - http://packetstormsecurity.org/files/112991/Mod_Auth_OpenID-Session-Stealing.html

FULLDISC - 20120522 session stealing in mod_auth_openid - CVE-2012-2760

XF - modauthopenid-database-info-disclosure(75813)

BID - 53661

MANDRIVA - MDVSA-2012:114


Last Updated: 27 May 2016 10:54:58