Multiple Omnidocs defects and repair

 

Title: Multiple Vulnerability in "Omnidocs"

Author: Sohil Garg www.2cto.com

: Http://www.newgensoft.com/omnidocs.asp

Affected Version: All

Test Platform: Apache-Coyote/1.1

# CVE: CVE-2011-3645

 

Multiple defects in "Omnidocs"

 

Product Description:

OmniDocs is an Enterprise Document Management (EDM) platform for creating, capturing, managing, delivering and archiving large volumes of documents and

 

Contents. Also integrates seamlessly with other enterprise applications.

Defects:

------------------

��

1. defect category

Privilege escalation

 

Affected URL:

Http://www.bkjia.com/omnidocs/doccab/doclist. jsp? DocListFolderId = 927964 & FolderType = G & FolderRights = 010000000 & FolderName = 1234 & FolderOwner = test & FolderLocation = G & Fold

ErAccessType = I & ParentFolderIndex = 100 & FolderPathFlag = Y & Fetch = 5 & VolIndex = 1 & VolIndex = 1

��

Vulnerable Parameter:

FolderRights

 

Example

Omnidocs application does not validate 'folderrights' parameter. This parameter cocould be modified to '000000' to get full access including rights to add ��

Events, add folders, delete folders and place orders.

 

 

 

2. defect category

Direct Object Access

 

Sample URL:

Http://www.bkjia.com/omnidocs/doccab/userprofile/editprofile. jsp

 

Vulnerable Parameter:

UserIndex

 

Example:

Omnidocs application does not validate 'userindex' parameter. 'userindex' parameter is used to access the personal setting page. This parameter can be

Changed to other valid numbers thereby gaining access to view or change other user's personal settings.

 

 

Timeline:

Notified Vendor: 01-Sep-2011

No response received ed from vendor for 3 weeks

Public Disclosure: 23-Sep-2011

 

Greetz:

1] Nikhil Mittal