OpenKM 5.1.7 Privilege Escalation

2012-01-09T00:00:00
ID SECURITYVULNS:DOC:27539
Type securityvulns
Reporter Securityvulns
Modified 2012-01-09T00:00:00

Description

COMPASS SECURITY ADVISORY http://www.csnc.ch/

ID: COMPASS-2012-001

Product: OpenKM Document Management System 5.1.7 [1]

Vendor: OpenKM http://www.openkm.com/

Subject: Privilege Escalation, Improper Access Control

Risk: High

Effect: Remotely exploitable

Author: Cyrill Brunschwiler (cyrill.brunschwiler@csnc.ch)

Date: August 6th 2011

Description:

Cyrill Brunschwiler, Security Analyst at Compass Security Network Computing, Switzerland discovered an authorization flaw in the OpenKM solution. OpenKM does allow application administrators to manage users and to assign roles. Unfortunately, a standard user having the UserRole may alter the roles of existing account. This is possible because OpenKM does not properly check for the sufficient privileges. The changes are being applied even though the OpenKM user interface displays an "insufficient privileges" message to the unprivileged user.

Vulnerable:

OpenKM version 5.1.7

Not vulnerable:

OpenKM version 5.1.8

Workaround:

Grant access to /OpenKM/admin path to specific IPs only (requires additional WAF, Reverse Proxy setup[2] or web server IP restriction)

Exploit:

Login as low privileged User (having the UserRole) and call the following URL to gain administrative privileges.

http://example.com/OpenKM/admin/Auth?action=userEdit&persist=true&usr_id =usr&usr_active=on&usr_roles=AdminRole

Timeline:

August 6th, Vulnerability discovered August 9th, Vendor contacted August 10th, Vendor notified December 1st, Patched version released January 2nd, Advisory released

References:

[1] OpenKM http://www.openkm.com/ is an Free/Libre document management system that provides a web interface for managing arbitrary files. OpenKM includes a content repository, Lucene indexing, and jBPM workflow. The OpenKM system was developed using Java technology.

[2] Open Source Web Entry Server Talk at OWASP Appsec Washington D.C. in November 2010 about setting up an Apache based Open Source Web Entry Server https://www.owasp.org/images/f/f4/AppSecDC_Open_Source_Web_Entry_Server_ V2.2.ppt