OpenDocMan 1.2.6.2 - 3 Vulnerabilities
#1 - Unprotected id parameter=0A-----------------------------=0AIn check-in=
..php the id variable is not filtered so that one can put in=0Aadditional SQ=
L statements. I have been able to get a UNION SELECT query=0Ato run but I d=
o not think it's exploitable because there is a second=0Aquery that runs wi=
th the id variable that will fail. None-the-less it is=0Apossible to get my=
string to the interpreter as valid SQL.=0A=0A#2 - Password reset allows an=
yone to reset the admin password=0A----------------------------------------=
---------------------=0Aforgot_password.php does not have any authenticatio=
n or checking to make=0Asure the user is only changing their password. So, =
an unauthenticated=0Auser can reset the password of any account if this fun=
ctionality is=0Aenabled. It is disabled by default.=0A=0A#3 - ACL broken fo=
r restricted documents=0A----------------------------------------=0AAssume =
a user uploads a file and put restricted access control around it=0Aprevent=
ing any other users from accessing it through the software=0Ainterface. If =
an attacker were to change the aku parameter to include=0Athe restricted fi=
le number they would be able to use the check-out.php=0Apage to retrieve th=
e restricted file.=0A=0A=0AThanks to Stephen Laurence, the developer for th=
is OSS project, for the=0Aquick replies. These issues were addressed by the=
developer (although I=0Adid not test the changes). Please download the lat=
est version.=0A=0AKen=0Ahttp://silverbackventuresllc.com