IPA/ISEC : Vulnerabilities : Security Alert for Vulnerability in OpenPNE

HOME >> IT Security >> Vulnerabilities >> Security Alert for Vulnerability in OpenPNE

Security Alert for Vulnerability in OpenPNE

Last Updated: March 11, 2010
Published: March 5, 2010
>> JAPANESE

Information-technology Promotion Agency, Japan (IPA, Chairman Koji Nishigaki) has issued a security alert concerning security vulnerability in OpenPNE on March 5, 2010.
This vulnerability allows an attacker to access OpenPNE as a registered user using the user’s cell phone ID.
If exploited, users’ personal information held in the OpenPNE system may be disclosed to or altered by a malicious attacker.
To fix this vulnerability, update to the fixed version or apply workaround following the instruction provided by the product developer.

1.Overview

OpenPNE is an open source social networking service (SNS) engine developed by Tejimaya Inc. as its organizer. With OpenPNE, users can create websites as well as mobile websites. Users can access their own mobile page by registering their cell phone to the OpenPNE mobile system.

OpenPNE has a security vulnerability which allows an attacker to access OpenPNE as a registered user using the user’s cell phone ID. If exploited, users’ personal information held in the OpenPNE system may be disclosed to or altered by a malicious attacker.

Given the high potential impact of the vulnerability and the wide use of OpenPNE in Japan, IPA has issued the security alert to raise awareness of a number of SNS website operators who may be affected by this vulnerability.

For detailed information, refer to the following URL:
http://www.openpne.jp/archives/4612/ (Japanese)

For the latest information, refer to the following URL:
http://jvndb.jvn.jp/jvndb/JVNDB-2010-000006

The IPA first received a report concerning this vulnerability through the creditee below on February 23, 2010, and the JPCERT Coordination Center (JPCERT/CC), in line with the Information Security Early Warning Partnership, made adjustments to clarify the matter with the vendor and made the announcement public on March 5, 2010.
Credit: Hiromitsu Takagi

2.Impact

The users’ personal information held in the OpenPNE system may be disclosed to or altered by a malicious attacker.

Security Alert for Vulnerability in OpenPNE

3.Solution

To fix this vulnerability, update to the fixed version or apply workaround following the instruction provided by the product developer.

4.CVSS Severity

(1)Evaluation Result

Severity Rating (CVSS base score)	□ Low (0.0~3.9)	■ Medium (4.0~6.9)	□ High (7.0~10.0)
CVSS base score		5.8

(2) Base Score Metrics

AV:Access Vector	□ Local	□ Adjacent 　Network	■ Network
AC:Access Complexity	□ High	■ Medium	□ Low
Au:Authentication	□ Multiple	□ Single	■ None
C:Confidentiality Impact	□ None	■ Partial	□ Complete
I:Integrity Impact	□ None	■ Partial	□ Complete
A:Availability Impact	■ None	□ Partial	□ Complete

■:Selected Values

5.CWE Type

This vulnerability has been CWE classified as “Permissions, Privileges, and Access Controls (CWE-264)”.

Contact

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail:

Top Page