Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Last revised: 2021-11-01

Summary

We have had a vulnerability A vulnerability has been reported in our the utility controller used by Open-AudIT. The issue vulnerability has been fixed and will be available a patch is available as well as included in the next release of Open-AudIT (4.3.0). The vulnerability is caused by un-validated user input to a publicly available function. The patch removes this vulnerability by only allowing this function to be called from localhost as well as validating the user input.

...

This issue is remotely exploitable by unauthenticated users. All users are advised to apply the patch immediately.

Products Affected

Open-AudIT Community versions 3.5.0 and later.

...

A patch for the issue described in this bulletin will be available in the next released Open-AudIT v4.3.0, expected before Nov 12th (subject to change).

Fixes, Workarounds and Mitigations

Download the attached file and replace the following file:

...

Windows - c:\xampp\open-audit\code_igniter\application\controllers\util.php

The file is also available on Github at https://raw.githubusercontent.com/Opmantek/open-audit/master/code_igniter/application/controllers/util.php

You can view the associated commits see the code changed for this patch, also on Github at :

https://github.com/Opmantek/open-audit/commit/21547c1cd47d5e7f362d08febe1dfccf649fe5b1#diff-0d4f2e9612b02690fdeac430d36d1a8c334d6fb1e1d17c223cbfe5321b2bd04e

https://github.com/Opmantek/open-audit/commit/1ce039306d85598880ff25fbeb20195ef3b7a993#diff-0d4f2e9612b02690fdeac430d36d1a8c334d6fb1e1d17c223cbfe5321b2bd04e

...