Skip to content
cyberexploits
webappjsptext

Omnidocs - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerabilities

Publié le 2011-09-27

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/jsp/webapps/17897.txt7eac4c3a
raw
--------------------------------------------------------------------

# Exploit Title: Multiple Vulnerability in "Omnidocs"

# Date: 24 Sep 2011

# Author: Sohil Garg

# Software Link: http://www.newgensoft.com/omnidocs.asp

# Version: All

# Tested on: Apache-Coyote/1.1

# CVE : CVE-2011-3645


---------------------------------------------------

"Omnidocs" Multiple vulnerability.

---------------------------------------------------

By � � � :Sohil Garg

Email � �:sohil_garg@yahoo.co.in

---------------------------------------------------


Product Description:

OmniDocs is an Enterprise Document Management (EDM) platform for creating, capturing, managing, delivering and archiving large volumes of documents and�



contents. Also integrates seamlessly with other enterprise applications.


------------------

Vulnerability

------------------


1.Vulnerbility Type

Privilege escalation



Affected URL:�

http://serverIP/omnidocs/doccab/doclist.jsp?DocListFolderId=927964&FolderType=G&FolderRights=010000000&FolderName=1234&FolderOwner=test&FolderLocation=G&Fold

erAccessType=I&ParentFolderIndex=100&FolderPathFlag=Y&Fetch=5&VolIndex=1&VolIndex=1


Vulnerable Parameter:�

FolderRights



Exploit

Omnidocs application does not validate 'FolderRights' parameter. This parameter could be modified to '111111111' to get full access including rights to add�

documents, add folders, delete folders and place orders.







2.Vulnerability Type

Direct Object Access



Sample URL:

http://serverIP/omnidocs/doccab/userprofile/editprofile.jsp



Vulnerable Parameter:

UserIndex



Exploit:

Omnidocs application does not validate 'UserIndex' parameter. 'UserIndex' parameter is used to access the personal setting page. This parameter can be�

changed to other valid numbers thereby gaining access to view or change other user's personal settings.





Timeline:

Notified Vendor: 01-Sep-2011

No response received from vendor for 3 weeks

Public Disclosure: 23-Sep-2011





-----------------------------------------------------

Greetz to:

1] Nikhil Mittal



Voir sur GitHub