exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

OpenKM Document Management System 5.1.7 Privilege Escalation

OpenKM Document Management System 5.1.7 Privilege Escalation
Posted Jan 3, 2012
Authored by Cyrill Brunschwiler | Site csnc.ch

OpenKM Document Management System version 5.1.7 suffers from an authenticated privilege escalation vulnerability.

tags | exploit
SHA-256 | 49cb4a1122d833c8f895823e05d71dfc8abe13d33615f668ecd9d5d856d3dbc0

OpenKM Document Management System 5.1.7 Privilege Escalation

Change Mirror Download
########################################################################
##
#
# COMPASS SECURITY ADVISORY http://www.csnc.ch/
########################################################################
##
#
# ID: COMPASS-2012-001
# Product: OpenKM Document Management System 5.1.7 [1]
# Vendor: OpenKM http://www.openkm.com/
# Subject: Privilege Escalation, Improper Access Control
# Risk: High
# Effect: Remotely exploitable
# Author: Cyrill Brunschwiler (cyrill.brunschwiler@csnc.ch)
# Date: August 6th 2011
#
########################################################################
##

Description:
------------
Cyrill Brunschwiler, Security Analyst at Compass Security Network
Computing,
Switzerland discovered an authorization flaw in the OpenKM solution.
OpenKM
does allow application administrators to manage users and to assign
roles.
Unfortunately, a standard user having the UserRole may alter the roles
of
existing account. This is possible because OpenKM does not properly
check
for the sufficient privileges. The changes are being applied even though
the
OpenKM user interface displays an "insufficient privileges" message to
the
unprivileged user.

Vulnerable:
-----------
OpenKM version 5.1.7

Not vulnerable:
---------------
OpenKM version 5.1.8

Workaround:
-----------
Grant access to /OpenKM/admin path to specific IPs only (requires
additional
WAF, Reverse Proxy setup[2] or web server IP restriction)

Exploit:
--------
Login as low privileged User (having the UserRole) and call the
following
URL to gain administrative privileges.

http://example.com/OpenKM/admin/Auth?action=userEdit&persist=true&usr_id
=usr&usr_active=on&usr_roles=AdminRole

Timeline:
---------
August 6th, Vulnerability discovered
August 9th, Vendor contacted
August 10th, Vendor notified
December 1st, Patched version released
January 2nd, Advisory released

References:
-----------
[1] OpenKM http://www.openkm.com/
is an Free/Libre document management system that provides a web
interface for
managing arbitrary files. OpenKM includes a content repository, Lucene
indexing, and jBPM workflow. The OpenKM system was developed using Java
technology.

[2] Open Source Web Entry Server
Talk at OWASP Appsec Washington D.C. in November 2010 about setting up
an
Apache based Open Source Web Entry Server
https://www.owasp.org/images/f/f4/AppSecDC_Open_Source_Web_Entry_Server_
V2.2.ppt
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close