Open Source Document Management System | OpenKM

Hello,

We have found security issue in OpenKM 6.3.2 authorization. I don't know if it is because of configuration errors in my setup, or it's a bug.
Users can change other users' passwords. In such situation everyone can get administrative privileges. The only requirement - user has to know other user's id. When changing password in Tools->Preferences->User configuration if you can edit POST response before sending to the server, you can change user id in the response to any other user id. In such case you will change password of another user. If okmAdmin user is present in the system, you can change user's password and get access to the administrative privileges.
Can you tell me if it's a bug, o configuration error?

I have take a look in the source code and seems we have stupid bug here. We will correct in community edition. However in activity log when you change the password is registered, you should see other user has reset it.

I have yet updated the source code of the community version to solve it. Confirm to me if now is going right.

You can check the nighly build tomorrow at http://integration.openkm.com/ ( this OpenKM.war version is for version 6.3.2 that means you can directly change the war file, stop OpenKM, change the war file and start again ).

Thanks for the advice.