Squiz Matrix - User Account Enumeration
http://www.osisecurity.com.au/advisories/squiz-matrix-user-enumeration

Release Date:
12-Dec-2011

Software:
Squiz - Matrix
http://www.squiz.net/

"Squiz Matrix delivers highly flexible and robust business integration
engine and application development tools. It is an evolution, and the
latest release, of the very successful MySource Matrix content
management system."

Versions tested / affected:
Squiz Matrix 4.6.0

Vulnerability discovered:

User Account Enumeration and User Account Information Disclosure

Vulnerability impact:

Low - Remote user accounts can be ascertained, and then possibly used
to further gain access to valid credentials.

Vulnerability information:

Most information in Squiz Matrix CMS, including users, are stored as
entites called "assets". This includes user accounts. By enumerating
all assets, it is possible to determine if the asset is a user account
by viewing the web page of a given asset by looking for the asset name
prepended by a "~" character. Furthermore, if a valid user account
asset is found, under most conditions tested, it is possible to
disclose
the user's account's full name/description by looking at the user's
asset offset by -2.

Example :

http://[target]/?a=1000

You do not have permission to access <i>~test</i>

http://[target]/?a=998

You do not have permission to access <i>Test Account</i>

Recommendation:

Upgrade to version 4.4.5 or 4.6.1

Workaround:

N/A.

Credit:
This vulnerability was disclosed by Troy Rose

Disclosure timeline:
05-Oct-2011 - Discovered during audit.
08-Nov-2011 - Notified vendor. Vendor response.
11-Nov-2011 - Vendor patched in CVS repository.
11-Nov-2011 - Vendor announces release of v4.4.5 and 4.6.1
05-Dec-2011 - Vendor releases v4.4.5 and 4.6.1
12-Dec-2011 - Disclosure.

About OSI Security:

OSI Security is an independent network and computer security auditing
and consulting company based in Sydney, Australia. We provide internal
and external penetration testing, vulnerability auditing and wireless
site audits, vendor product assessments, secure network design,
forensics and risk mitigation services.

We can be found at http://www.osisecurity.com.au/