Zero Science Lab » LogicalDOC Enterprise 7.7.4 Username Enumeration Weakness

LogicalDOC Enterprise 7.7.4 Username Enumeration Weakness

Title: LogicalDOC Enterprise 7.7.4 Username Enumeration Weakness
Advisory ID: ZSL-2018-5451
Type: Local/Remote
Impact: Exposure of Sensitive Information
Risk: (2/5)
Release Date: 11.02.2018

Summary

LogicalDOC is a free document management system that is designed to handle and share documents within an organization. LogicalDOC is a content repository, with Lucene indexing, Activiti workflow, and a set of automatic import procedures.

Description

The weakness is caused due to the 'j_spring_security_check' script and how it verifies provided credentials. Attacker can use this weakness to enumerate valid users on the affected node.

Vendor

LogicalDOC Srl - https://www.logicaldoc.com

Affected Version

7.7.4
7.7.3
7.7.2
7.7.1
7.6.4
7.6.2
7.5.1
7.4.2
7.1.1

Tested On

Microsoft Windows 10
Linux Ubuntu 16.04
Java 1.8.0_161
Apache-Coyote/1.1
Apache Tomcat/8.5.24
Apache Tomcat/8.5.13
Undisclosed 8.41

Vendor Status

[26.01.2018] Vulnerabilities discovered.
[30.01.2018] Vendor contacted.
[07.02.2018] No response from the vendor.
[08.02.2018] Vendor contacted again.
[10.02.2018] No response from the vendor.
[11.02.2018] Public security advisory released.

PoC

logicaldoc_enum.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://cxsecurity.com/issue/WLB-2018020151
[2] https://packetstormsecurity.com/files/146353
[3] https://www.exploit-db.com/exploits/44019/
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/139088

Changelog

[11.02.2018] - Initial release
[21.02.2018] - Added reference [1], [2], [3] and [4]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk