############################################################# # # COMPASS SECURITY ADVISORY http://www.csnc.ch/ ############################################################# # # ID: COMPASS-2012-001 # Product: OpenKM Document Management System 5.1.7 [1] # Vendor: OpenKM # Subject: Privilege Escalation, Improper Access Control # Risk: High # Effect: Remotely exploitable # Author: Cyrill Brunschwiler (cyrill.brunschwiler@csnc.ch) # Date: January 3rd 2012 # ############################################################# Description: ------------ Cyrill Brunschwiler, Security Analyst at Compass Security Network Computing, Switzerland discovered an authorization flaw in the OpenKM solution. OpenKM does allow application administrators to manage users and to assign roles. Unfortunately, a standard user having the UserRole may alter the roles of existing account. This is possible because OpenKM does not properly check for the sufficient privileges. The changes are being applied even though the OpenKM user interface displays an "insufficient privileges" message to the unprivileged user. Vulnerable: ----------- OpenKM version 5.1.7 and most likely prior versions (unconfirmed) Not vulnerable: --------------- OpenKM version 5.1.8. Workaround: ----------- Grant access to /OpenKM/admin path to specific IPs only (requires additional WAF or Reverse Proxy setup[2]) Exploit: -------- Login as low privileged User (having the UserRole) and call the following URL to gain administrative privileges. Upgrade Existing User (add AdminRole) http://example.com/OpenKM/admin/Auth?action=userEdit&persist=true&usr_id=usr&usr_active=on&usr_roles=AdminRole Timeline: --------- August 6th, Vulnerability discovered August 9th, Vendor contacted August 10th, Vendor notified December 1st, Patched version released January 2nd, Advisory released References: ----------- [1] OpenKM http://www.openkm.com is an Free/Libre document management system that provides a web interface for managing arbitrary files. OpenKM includes a content repository, Lucene indexing, and jBPM workflow. The OpenKM system was developed using Java technology. [2] Open Source Web Entry Server Talk at OWASP Appsec Washington D.C. in November 2010 about setting up an Apache based Open Source Web Entry Server https://www.owasp.org/images/f/f4/AppSecDC_Open_Source_Web_Entry_Server_V2.2.ppt