openDCIM Missing Authorization Vulnerability in LDAP Configuration
Vulnerability
A missing authorization vulnerability has been identified in openDCIM version 23.04, through commit 4467e9c4. The issue resides in 'install.php' and 'container-install.php', where the installer and upgrade handler expose LDAP configuration functionality without proper role checks. This flaw allows any authenticated user to access the functionality, regardless of their assigned privileges. In environments where 'REMOTE_USER' is set without authentication enforcement, the endpoint may be accessible without credentials, enabling unauthorized modifications to the application configuration.
Impact
Exploitation of this vulnerability allows for unauthorized access to the LDAP configuration functionality, potentially leading to unauthorized modifications of the application configuration. When chained with other vulnerabilities, it can result in remote code execution.
Reproduction
The vulnerability can be reproduced by accessing 'install.php' or 'container-install.php' with a valid 'REMOTE_USER' environment variable. This can be done by configuring an Apache server to use 'AuthType Basic' with a '.htpasswd' file or LDAP authentication. Once authenticated, the LDAP configuration form can be accessed without the necessary privileges, allowing for unauthorized changes to the application configuration.
Remediation
The vulnerability has been patched in the openDCIM repository. The official patch can be found in the GitHub pull request #1664.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.