• Security issue while changing password

  • We tried to make OpenKM as intuitive as possible, but an advice is always welcome.
We tried to make OpenKM as intuitive as possible, but an advice is always welcome.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 #43232  by Donatas
 
Hello,

We have found security issue in OpenKM 6.3.2 authorization. I don't know if it is because of configuration errors in my setup, or it's a bug.
Users can change other users' passwords. In such situation everyone can get administrative privileges. The only requirement - user has to know other user's id. When changing password in Tools->Preferences->User configuration if you can edit POST response before sending to the server, you can change user id in the response to any other user id. In such case you will change password of another user. If okmAdmin user is present in the system, you can change user's password and get access to the administrative privileges.
Can you tell me if it's a bug, o configuration error?
 #43244  by jllort
 
I have take a look in the source code and seems we have stupid bug here. We will correct in community edition. However in activity log when you change the password is registered, you should see other user has reset it.
 #43245  by jllort
 
I have yet updated the source code of the community version to solve it. Confirm to me if now is going right.

You can check the nighly build tomorrow at http://integration.openkm.com/ ( this OpenKM.war version is for version 6.3.2 that means you can directly change the war file, stop OpenKM, change the war file and start again ).

Thanks for the advice.

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.