OSVDB ID: 86254

Title: FileBound On-Site Password Change SOAP Request UserID Parameter Parsing Arbitrary Password Manipulation

Info

Disclosure

Oct 10, 2012

Discovery

Unknown

Dates

Exploit

Oct 10, 2012

Solution

Unknown

Description

FileBound On-Site contains a flaw that is triggered when the application fails to properly verify input passed via the 'UserID' parameter during the handling of a password change SOAP request. This may allow a remote attacker to reset any local user's password, without escalated privileges.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Patch / RCS
Exploit: Exploit Public
Disclosure: Coordinated Disclosure

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, the vendor has reportedly released a patch to address this vulnerability.

Products

FileBound Document Management Solutions

FileBound On-Site

6.1.3

References

Exploit Database: 21892
Secunia Advisory ID: 50893
Vendor URL: http://www.filebound.com/document-management-system-edm
Other Advisory URL: http://www.senseofsecurity.com.au/advisories/SOS-12-010

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/86254