exploit the possibilities

OpenDocMan 1.2.6.2 SQL Injection / Access Bypass

OpenDocMan 1.2.6.2 SQL Injection / Access Bypass
Posted Dec 13, 2012
Authored by Kenneth F. Belva

OpenDocMan version 1.2.6.2 suffers from remote SQL injection and multiple access bypass vulnerabilities.

tags | exploit, remote, vulnerability, sql injection, bypass
MD5 | f1085c129f4e3a974656389cb2cdc63c

OpenDocMan 1.2.6.2 SQL Injection / Access Bypass

Change Mirror Download
#1 - Unprotected id parameter
-----------------------------
In check-in.php the id variable is not filtered so that one can put in
additional SQL statements. I have been able to get a UNION SELECT query
to run but I do not think it's exploitable because there is a second
query that runs with the id variable that will fail. None-the-less it is
possible to get my string to the interpreter as valid SQL.

#2 - Password reset allows anyone to reset the admin password
-------------------------------------------------------------
forgot_password.php does not have any authentication or checking to make
sure the user is only changing their password. So, an unauthenticated
user can reset the password of any account if this functionality is
enabled. It is disabled by default.

#3 - ACL broken for restricted documents
----------------------------------------
Assume a user uploads a file and put restricted access control around it
preventing any other users from accessing it through the software
interface. If an attacker were to change the aku parameter to include
the restricted file number they would be able to use the check-out.php
page to retrieve the restricted file.


Thanks to Stephen Laurence, the developer for this OSS project, for the
quick replies. These issues were addressed by the developer (although I
did not test the changes). Please download the latest version.

Ken
http://silverbackventuresllc.com
Login or Register to add favorites

File Archive:

November 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    19 Files
  • 2
    Nov 2nd
    25 Files
  • 3
    Nov 3rd
    8 Files
  • 4
    Nov 4th
    7 Files
  • 5
    Nov 5th
    24 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    106 Files
  • 11
    Nov 11th
    19 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    18 Files
  • 16
    Nov 16th
    12 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    12 Files
  • 19
    Nov 19th
    4 Files
  • 20
    Nov 20th
    2 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    14 Files
  • 24
    Nov 24th
    19 Files
  • 25
    Nov 25th
    4 Files
  • 26
    Nov 26th
    1 Files
  • 27
    Nov 27th
    4 Files
  • 28
    Nov 28th
    1 Files
  • 29
    Nov 29th
    11 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close