WebEOC ties privileges and roles to client-side resources. If an attacker can access a resource directly, that attacker will be granted all the privileges associated with that resource.
WebEOC is a web-based crisis information management application that provides functions to gather, coordinate, and disseminate information between emergency personnel and emergency operations centers (EOC). WebEOC privileges and authorizations are granted to a user based on the resources they are accessing. It is assumed that if a user can navigate to a specific resource, then that user is authorized to use that resource and obtain all privileges associated with it. In numerous places in a WebEOC system, resources are requested via URIs. An attacker may be able exploit this design by crafting a URI that will directly access a resource, thus elevating that attacker's privileges.
Attackers may be able to gain elevated privileges giving them access to sensitive information and resources.
Version 6.0.2 corrects this vulnerability. According to ESi:
This document is based on technical analysis by IOActive and additional information from ESi. Thanks also to the City of Seattle for bringing this to our attention.
|Date First Published:||2005-07-13|
|Date Last Updated:||2005-07-20 03:58 UTC|