MS-ISAC CYBERSECURITY ADVISORIES
MS-ISAC ADVISORY NUMBER:
3/24/2016 - Updated
Multiple Vulnerabilities in Schoolwires Could Allow for Sensitive Information Disclosure
Multiple vulnerabilities have been discovered in Schoolwires, which could result in sensitive information disclosure. Schoolwires is a content management system designed specifically for schools to manage web design and content. These vulnerabilities can be exploited remotely by an attacker with access to a website running Schoolwires. Successful exploitation of these vulnerabilities could allow an attacker to list all files in a user-supplied directory, download arbitrary files, obtain sensitive information of Schoolwires users, or deface the schoolâ€™s website.
It is worth noting that most Schoolwires installations are automatically updated as part of their default configuration settings. The MS-ISAC recommends that this setting be verified to ensure these critical updates are applied.
There is evidence of these vulnerabilities being exploited in the wild.
3/15/2016 All Schoolwires versions prior to 2.13 are affected.
3/24/2016 UPDATE: All Schoolwires versions prior to 2.12.01 are affected.
- Large and medium government entities:Medium
- Small government entities: Medium
- Large and medium business entities: Low
- Small business entities: Low
Home users: N/A
Multiple vulnerabilities have been discovered in Schoolwires. These vulnerabilities exist due to a failure to sanitize user supplied input in the URL, which could allow exploitation by a non-authenticated remote attacker with access to an affected website.
Successful exploitation of these vulnerabilities could allow an attacker to list all files in a user-supplied directory, download arbitrary files, obtain sensitive information, disclose usernames, email addresses and additional information of Schoolwires users, or deface the schoolâ€™s website.
We recommend the following actions be taken: