BMC Remedy 7.1 User Impersonation Vulnerability

2018-12-01
ID: 100371
CVE: None
Download vulnerable application: None
<!--
# Exploit Title: Impersonation may lead to incorrect user context in Remedy
AR System Server in BMC Remedy 7.1
# Exploit Author: Rafael Pedrero
# Vendor Homepage: http://www.bmc.com/
# Software Link: http://www.bmc.com/
# Version: Impersonation may lead to incorrect user context in Remedy AR
System Server in BMC Remedy 7.1
# Tested on: all
# CVE : CVE-2018-19505
# Category: webapps
 1. Description
 Remedy AR System Server in BMC Remedy 7.1 may fail to set the correct user
context in certain impersonation scenarios, which can allow a user to act
with the identity of a different user.
  2. Proof of Concept
 Impersonation may lead to incorrect user context in Remedy AR System Server
in BMC Remedy 7.1.
 Go to WorkOrderConsole:
 In Request:
/WOI:WorkOrderConsole/Default+User+View+(Support)/userdata.js?winname=SERVERWOIWOI+WORKOrderConsole12345643244
(last values can change)
 In response change the user value in function
UserData_Init(){ARKWSetup(2,"USERNAME_TO_CHANGE","....more values).
  3. Solution:
 Update to the latests version Remedy AR System Server in BMC Remedy 8.1.
1.1.11-prod (www01)