Hello,
We have found security issue in OpenKM 6.3.2 authorization. I don't know if it is because of configuration errors in my setup, or it's a bug.
Users can change other users' passwords. In such situation everyone can get administrative privileges. The only requirement - user has to know other user's id. When changing password in Tools->Preferences->User configuration if you can edit POST response before sending to the server, you can change user id in the response to any other user id. In such case you will change password of another user. If okmAdmin user is present in the system, you can change user's password and get access to the administrative privileges.
Can you tell me if it's a bug, o configuration error?
We have found security issue in OpenKM 6.3.2 authorization. I don't know if it is because of configuration errors in my setup, or it's a bug.
Users can change other users' passwords. In such situation everyone can get administrative privileges. The only requirement - user has to know other user's id. When changing password in Tools->Preferences->User configuration if you can edit POST response before sending to the server, you can change user id in the response to any other user id. In such case you will change password of another user. If okmAdmin user is present in the system, you can change user's password and get access to the administrative privileges.
Can you tell me if it's a bug, o configuration error?