SNS Advisory No.93
Minna De Office Improper URL Privilege Escalation Vulnerability
Problem first discovered on: Thu, 02 Nov 2006
Published on: Wed, 04 Apr 2007
Severity Level:
Medium
Overview:
Minna De Office has a vulnerability that unprivileged users can access administrator pages, which should be available only for administrators. Exploitation of this vulnerability could allow attackers with login privilege to obtain administrator privileges improperly.
Problem Description:
Minna De Office is a web-based groupware for UNIX and Windows.
Minna De Office has a vulnerability that unprivileged users can access administrator pages, which should be available only for administrators, due to the access control vulnerability.
Therefore, attackers with login privilege can escalate to the administrator privileges and that could result in executing transactions that has not been originally permitted.
Affected Versions:
------------------
Minna De Office 1.12 B and earlier
Minna De Office 2.00 and earlier
Solution:
---------
The vulnerability can be fixed by installing the security update module, which is available at:
http://www.aisantec.com/mof/whats_new/070320.html
Discovered by:
--------------
Yoshihiro Ishikawa (LAC)
Thanks to:
----------
This SNS Advisory is being published in coordination with Information-technology Promotion Agency, Japan (IPA) and JPCERT/CC.
http://jvn.jp/jp/JVN%2373258608/index.html http://www.ipa.go.jp/security/vuln/documents/2006/JVN_73258608.html
Disclaimer:
-----------
The information contained in this advisory may be revised without prior notice and is provided as it is. Users shall take their own risk when taking any actions following reading this advisory. LAC Co., Ltd. shall take no responsibility for any problems, loss or damage caused by, or by the use of information provided here.
This advisory can be found at the following URL:
http://www.lac.co.jp/english/advisory/93_e.html
