[VIM] Urchin Report.CGI Authorization Bypass Vulnerability

George A. Theall theall at tenablesecurity.com
Sat Oct 13 11:12:04 UTC 2007

FWIW, the authorization bypass issue in Urchin reported by MustLive 
(http://securityvulns.ru/Sdocument90.html) and covered by CVE-2007-5113/ 
Bugtraq 26037 seems to be a feature rather than a vulnerability. At 
least in version 5.7.03, an administrator must enable "Direct Report 
Linking'' (under ''Settings'', ''Access Settings''). It is disabled by 
default, and the online help for this setting says:

   "Enabling this feature allows you to circumvent authentication
   and create links directly to reports. This can be useful for
   systems that are already password or network protected"...

theall at tenablesecurity.com

More information about the VIM mailing list