SNS Advisory No.93
Minna De Office Improper URL Privilege Escalation Vulnerability
Discovered on:02 Nov 2006
Released on:04 Apr 2007
Severity:
Medium
Overview:
Minna De Office has a vulnerability that unprivileged users can access administrator pages, which should be available only for administrators. Exploitation of this vulnerability could allow attackers with login privilege to obtain administrator privileges improperly.
Description:
Minna De Office is a web-based groupware for UNIX and Windows.
Minna De Office has a vulnerability that unprivileged users can access administrator pages, which should be available only for administrators, due to the access control vulnerability.
Therefore, attackers with login privilege can escalate to the administrator privileges and that could result in executing transactions that has not been originally permitted.
Affected Products and Versions:
Minna De Office 1.12 B and earlier
Minna De Office 2.00 and earlier
Solution:
The vulnerability can be fixed by installing the security update module, which is available at:
http://www.aisantec.com/mof/whats_new/070320.html
Discovered by:
Yoshihiro Ishikawa (LAC)
Thanks to:
This LAC Advisory is released in coordination with Information-technology Promotion Agency, Japan (IPA) and Japan Computer Emargency Response Team Coordination Center (JPCERT/CC.)
http://jvn.jp/jp/JVN%2373258608/index.html http://www.ipa.go.jp/security/vuln/documents/2006/JVN_73258608.html
Disclaimer:
The information contained in this advisory may be revised without prior notice and is provided as is. Users shall take their own risk when taking any actions following reading this advisory. Little eArth Corporation Co., Ltd. shall not be held responsible for any claims, losses or damages caused by the use of information provided here.
This advisory is available at the following URL:
http://www.lac.co.jp/english/advisory/93_e.html
Reference
Category Menu
