-------------------------------------------------------- - Multiple Remote Access Validation Vulnerabilities - With PE (community software) -------------------------------------------------------- (Altrus::security.honour.ca) Program name: PE Versions affected: <unknown> Vendor(s): Outstart Inc. Participate Systems Inc. Vendor Notification Date: 23 FEB 2005 Risk: Moderately Serious Impact: Denial of Service, File Upload Vendor Homepages: http://www.outstart.com http://www.participate.com --------------------------------------------------------- - Description --------------------------------------------------------- PE is a proprietary java-based community that mimics the functionality provided by existing open-source software. It facilitates community forums, document libraries, message boards, user interaction and an user management infrastructure. >From vendor site: Available as either a hosted or installed solution, OutStart Participate is improving the collaboration and knowledge-sharing capabilities of many world-class companies, including GE Healthcare, Caremark, palmOne, Logitech, McGraw-Hill and Tivo. OutStart Participate combines three different systems into one powerful knowledge-sharing platform. --------------------------------------------------------- - Discussion --------------------------------------------------------- The software is affected by an Access Validation Error that could allow a malicious users to rename or delete critical directory objects. This could result in a denial of service of all library, forum, and/or specialized content until the directory objects were restored or renamed appropriately. The Vendor has been notified of this issue, and has developed a patch. Sites and persons using the software are advised to install the patch - available from the vendor. --------------------------------------------------------- - Sample Exploit Code --------------------------------------------------------- http://www.targetsite.com/pe/repository/displaynavigator.jsp?rootFolder=101 -Allows an attacker to browse a limited directory tree (in this case, the action directory. Changing to "rootFolder=105" allows for the document library to be browsed. http://www.targetsite.com/pe/repository/include/renamepopup.jsp?selectedObject=101 -Allows an attacker to rename the selected object ID (in this case, the action directory). http://www.targetsite.com/pe/repository/displaydeletenavigator.jsp?selectedObjectsCSV=101 -Sets the object CSV for the delete navigator. The following javascript commands might also be used to call functions otherwise unavailable to the user: showDeleteView() showWebFolderView() showLibraryView() showMyLibraryView() singleSelectObject(objid) processRadioSelection(radio, objid) processCheckboxSelection(chkbox, objid) singleSelectObject(objid) addToSelectedObjects(objid) removeFromSelectedObjects(objid) --------------------------------------------------------- - Solutions --------------------------------------------------------- The vendor has provided a patch. Its effectiveness is not confirmed, nor is its distribution. --------------------------------------------------------- - References --------------------------------------------------------- Authorative and updated copies of this vulnerability can be found at: http://security.honour.ca --------------------------------------------------------- - Credits --------------------------------------------------------- Discovered by: Altrus [root@xxxxxxxxx]
