OpenDocMan Access Control Error in 'commitchange.php' Lets Remote Authenticated Users Make Unauthorized Changes
|
|
SecurityTracker Alert ID: 1010782
|
|
SecurityTracker URL: http://securitytracker.com/id?1010782
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jul 27 2004
|
Impact: Modification of user information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 1.2
|
Description: A vulnerability was reported in OpenDocMan. A remote authenticated user can make unauthorized changes.
The vendor reported that 'commitchange.php' does not properly check to make sure that a user is authorized to make changes. A remote
authenticated user can make changes that they are not authorized to make, including adding/deleting/updating a user, department,
or category.
|
Impact: A remote authenticated user can add, update, or delete users, departments, or categories.
|
Solution: The vendor has released a fixed version (1.2), available at:
http://sourceforge.net/project/showfiles.php?group_id=69505
|
Vendor URL: sourceforge.net/project/shownotes.php?release_id=255785 (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 27 Jul 2004 01:30:21 -0400
Subject: http://sourceforge.net/project/shownotes.php?release_id=255785
|
http://sourceforge.net/project/shownotes.php?release_id=255785
> commitchange.php: fixed security vulnerability where commitchange was not checking to
> make sure users were authorized to make the requested changes
|
|
