OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
OpenKM 5.1.7 Privilege Escalation

From: Cyrill Brunschwiler (cyrill.brunschwilercsnc.ch)
Date: Tue Jan 03 2012 - 06:47:39 CST


########################################################################
##
#
# COMPASS SECURITY ADVISORY http://www.csnc.ch/
########################################################################
##
#
# ID: COMPASS-2012-001
# Product: OpenKM Document Management System 5.1.7 [1]
# Vendor: OpenKM http://www.openkm.com/
# Subject: Privilege Escalation, Improper Access Control
# Risk: High
# Effect: Remotely exploitable
# Author: Cyrill Brunschwiler (cyrill.brunschwilercsnc.ch)
# Date: August 6th 2011
#
########################################################################
##

Description:
------------
Cyrill Brunschwiler, Security Analyst at Compass Security Network
Computing,
Switzerland discovered an authorization flaw in the OpenKM solution.
OpenKM
does allow application administrators to manage users and to assign
roles.
Unfortunately, a standard user having the UserRole may alter the roles
of
existing account. This is possible because OpenKM does not properly
check
for the sufficient privileges. The changes are being applied even though
the
OpenKM user interface displays an "insufficient privileges" message to
the
unprivileged user.

Vulnerable:
-----------
OpenKM version 5.1.7

Not vulnerable:
---------------
OpenKM version 5.1.8

Workaround:
-----------
Grant access to /OpenKM/admin path to specific IPs only (requires
additional
WAF, Reverse Proxy setup[2] or web server IP restriction)

Exploit:
--------
Login as low privileged User (having the UserRole) and call the
following
URL to gain administrative privileges.

http://example.com/OpenKM/admin/Auth?action=userEdit&persist=true&usr_id
=usr&usr_active=on&usr_roles=AdminRole

Timeline:
---------
August 6th, Vulnerability discovered
August 9th, Vendor contacted
August 10th, Vendor notified
December 1st, Patched version released
January 2nd, Advisory released

References:
-----------
[1] OpenKM http://www.openkm.com/
is an Free/Libre document management system that provides a web
interface for
managing arbitrary files. OpenKM includes a content repository, Lucene
indexing, and jBPM workflow. The OpenKM system was developed using Java
technology.

[2] Open Source Web Entry Server
Talk at OWASP Appsec Washington D.C. in November 2010 about setting up
an
Apache based Open Source Web Entry Server
https://www.owasp.org/images/f/f4/AppSecDC_Open_Source_Web_Entry_Server_
V2.2.ppt