<<< Date Index >>>     <<< Thread Index >>>

PE Multiple Remote Access Validation Vulnerabilities (Participate Systems Inc. / Outstart Inc.)


--------------------------------------------------------
- Multiple Remote Access Validation Vulnerabilities
- With PE (community software)
--------------------------------------------------------
(Altrus::security.honour.ca)

Program name: PE
  
Versions affected: <unknown>


Vendor(s):      Outstart Inc.
                Participate Systems Inc.

Vendor Notification Date: 23 FEB 2005

Risk: Moderately Serious
Impact: Denial of Service, File Upload


Vendor Homepages:  http://www.outstart.com
                   http://www.participate.com

---------------------------------------------------------
- Description
---------------------------------------------------------

PE is a proprietary java-based community that mimics the 
functionality provided by existing open-source software. 
It facilitates community forums, document libraries, 
message boards, user interaction and an user management 
infrastructure.


>From vendor site:

Available as either a hosted or installed solution, 
OutStart Participate is improving the collaboration and 
knowledge-sharing capabilities of many world-class 
companies, including GE Healthcare, Caremark, palmOne, 
Logitech, McGraw-Hill and Tivo. OutStart Participate 
combines three different systems into one powerful 
knowledge-sharing platform.


---------------------------------------------------------
- Discussion
---------------------------------------------------------

The software is affected by an Access Validation Error 
that could allow a malicious users to rename or delete 
critical directory objects. This could result in a denial 
of service of all library, forum, and/or specialized 
content until the directory objects were restored or 
renamed appropriately.


The Vendor has been notified of this issue, and has 
developed a patch. Sites and persons using the software 
are advised to install the patch - available from the 
vendor.

---------------------------------------------------------
- Sample Exploit Code
---------------------------------------------------------

http://www.targetsite.com/pe/repository/displaynavigator.jsp?rootFolder=101
        -Allows an attacker to browse a limited directory tree (in this case, 
the action directory. Changing to "rootFolder=105" allows for the document 
library to be browsed.
                
http://www.targetsite.com/pe/repository/include/renamepopup.jsp?selectedObject=101
        -Allows an attacker to rename the selected object ID (in this case,     
the action directory).

http://www.targetsite.com/pe/repository/displaydeletenavigator.jsp?selectedObjectsCSV=101
        -Sets the object CSV for the delete navigator.

The following javascript commands might also be used to 
call functions otherwise unavailable to the user:

showDeleteView()
showWebFolderView()
showLibraryView()
showMyLibraryView()
singleSelectObject(objid)
processRadioSelection(radio, objid)
processCheckboxSelection(chkbox, objid)
singleSelectObject(objid)
addToSelectedObjects(objid)
removeFromSelectedObjects(objid)

---------------------------------------------------------
- Solutions
---------------------------------------------------------

The vendor has provided a patch. Its effectiveness is 
not confirmed, nor is its distribution.

---------------------------------------------------------
- References
---------------------------------------------------------

Authorative and updated copies of this vulnerability can 
be found at:

http://security.honour.ca

---------------------------------------------------------
- Credits
---------------------------------------------------------

Discovered by: Altrus [root@xxxxxxxxx]