what you don't know can hurt you

OpenKM Document Management System 5.1.7 Privilege Escalation

OpenKM Document Management System 5.1.7 Privilege Escalation
Posted Jan 3, 2012
Authored by Cyrill Brunschwiler | Site csnc.ch

OpenKM Document Management System version 5.1.7 suffers from an authenticated privilege escalation vulnerability.

tags | exploit
MD5 | c854b82aaf61acf780dff9ac73f4b767

OpenKM Document Management System 5.1.7 Privilege Escalation

Change Mirror Download
########################################################################
##
#
# COMPASS SECURITY ADVISORY http://www.csnc.ch/
########################################################################
##
#
# ID: COMPASS-2012-001
# Product: OpenKM Document Management System 5.1.7 [1]
# Vendor: OpenKM http://www.openkm.com/
# Subject: Privilege Escalation, Improper Access Control
# Risk: High
# Effect: Remotely exploitable
# Author: Cyrill Brunschwiler (cyrill.brunschwiler@csnc.ch)
# Date: August 6th 2011
#
########################################################################
##

Description:
------------
Cyrill Brunschwiler, Security Analyst at Compass Security Network
Computing,
Switzerland discovered an authorization flaw in the OpenKM solution.
OpenKM
does allow application administrators to manage users and to assign
roles.
Unfortunately, a standard user having the UserRole may alter the roles
of
existing account. This is possible because OpenKM does not properly
check
for the sufficient privileges. The changes are being applied even though
the
OpenKM user interface displays an "insufficient privileges" message to
the
unprivileged user.

Vulnerable:
-----------
OpenKM version 5.1.7

Not vulnerable:
---------------
OpenKM version 5.1.8

Workaround:
-----------
Grant access to /OpenKM/admin path to specific IPs only (requires
additional
WAF, Reverse Proxy setup[2] or web server IP restriction)

Exploit:
--------
Login as low privileged User (having the UserRole) and call the
following
URL to gain administrative privileges.

http://example.com/OpenKM/admin/Auth?action=userEdit&persist=true&usr_id
=usr&usr_active=on&usr_roles=AdminRole

Timeline:
---------
August 6th, Vulnerability discovered
August 9th, Vendor contacted
August 10th, Vendor notified
December 1st, Patched version released
January 2nd, Advisory released

References:
-----------
[1] OpenKM http://www.openkm.com/
is an Free/Libre document management system that provides a web
interface for
managing arbitrary files. OpenKM includes a content repository, Lucene
indexing, and jBPM workflow. The OpenKM system was developed using Java
technology.

[2] Open Source Web Entry Server
Talk at OWASP Appsec Washington D.C. in November 2010 about setting up
an
Apache based Open Source Web Entry Server
https://www.owasp.org/images/f/f4/AppSecDC_Open_Source_Web_Entry_Server_
V2.2.ppt

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close