A vulnerability was found in Katywhitton RankEm (version now known). It has been declared as problematic. This vulnerability affects some unknown processing. The manipulation with an unknown input leads to a access control vulnerability. The CWE definition for the vulnerability is CWE-264. As an impact it is known to affect confidentiality. CVE summarizes:

Katy Whitton RankEm stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing credentials via a direct request for database/topsites.mdb.

The weakness was shared 01/22/2009 (Website). The advisory is shared for download at milw0rm.com. This vulnerability was named CVE-2009-0249 since 01/22/2009. The exploitation appears to be easy. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Technical details are unknown but a public exploit is available. The MITRE ATT&CK project declares the attack technique as T1068.

A public exploit has been developed by Pouya_Server and been published before and not just after the advisory. It is possible to download the exploit at exploit-db.com. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 6 days. During that time the estimated underground price was around $0-$5k.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the databases at X-Force (48070) and Exploit-DB (7805). The entry 46023 is related to this item.

Productinfo

Vendor

• Katywhitton

Name

• RankEm

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion