-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SEC Consult Vulnerability Lab Security Advisory < 20140805-0 >
=======================================================================
              title: Multiple vulnerabilities
            product: Readsoft Invoice Processing / Process Director
 vulnerable version: Invoice Servicepack 5.6, Process Director 7.2
      fixed version: -
             impact: Critical
           homepage: http://www.readsoft.com
              found: 2014-02-27
                 by: J. Greil, M. Hofer, B. Kopp
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com
=======================================================================

Vendor/product description:
- ---------------------------
"ReadSoft has been a pioneer in P2P invoice automation since the 1990s, when
the company first brought free-form technology for invoice processing to
market. Today, ReadSoft continues to be a global leader in business document
process automation, with 2,500+ accounts payable solution applications
worldwide - more than double the total applications of all major competitors
put together."

URL: http://www.readsoft.com/about-us/who-we-are


Business recommendation:
- ------------------------
Vulnerabilities have been identified that are based on severe design flaws in
the application. It is highly recommended by SEC Consult not to use this
software until a thorough security review has been performed by security
professionals and all identified issues have been resolved.


Vulnerability overview/description:
- -----------------------------------
1) Reflected & stored Cross-Site Scripting
An unauthenticated user is able to perform Cross-Site Scripting attacks e.g.
create relogin Trojan Horses or steal session cookies in the context of the
affected web application "Process Director". Over 120 XSS issues have been
identified and it is assumed that many more exist.

Attackers are able to take over other user accounts and potentially gain
access to invoice data or other sensitive data.


2) Critical design issues
The Readsoft Invoice Processing software e.g. contains the tools / software
products "Manager", "Verify" or "Optimize". Those programs are usually
stored/installed locally on the user's system. They contain configuration
files that point to the global configuration which is stored on a file server
in a multi-user environment and accessed via network shares.

The software then reads this global configuration file which contains user
accounts and passwords (some of them in cleartext!) for other integrated
systems such as SAP or database connections.
The client program also connects to the database with a high-privileged user
and access rights are managed locally on the client!

All users of the software suite must be able to access this network share with
full access rights (read/write) in order for the program to work properly.

Therefore, attackers can not only gain access to sensitive data such as passwords in
cleartext (SAP backend connection, database), scanned invoices, log &
licensing files etc. but potentially manipulate configuration files /
invoices or replace existing executables with malicious code.


Proof of concept:
- -----------------
1) Reflected & stored Cross-Site Scripting

The following URLs are only an example of vulnerable functionality which can
be exploited without authentication. Over 120 different issues have been
identified during the crash test:

[ Proof of concept details removed as no patch is available ]


2) Critical design issues
The file "..." contains configuration parameters for the SAP and also database
backend connections.

The SAP password is stored in cleartext. The database password is encrypted
which can easily be retrieved by using a debugger (method [...] in [...].dll).
Anti-debugging mechanisms can be circumented by patching the application.

The database user needs full access rights to the database as the rights
management is done on the client. The user account information is stored in
the table "[...]".


Vulnerable / tested versions:
- -----------------------------
The vulnerability has been verified to exist in Invoice Servicepack 5.6 &
Process Director 7.2, which was the most recent version at the time of
discovery.


Vendor contact timeline:
- ------------------------
2014-06-03: Requesting security contact via online contact form (no security
            contact or other suitable email addresses found online)
2014-06-06: (no reply) Sending email to info@, info-de@ and CTO of Readsoft
            Attaching responsible disclosure policy & encryption keys
2014-06-12: Asking again for a security contact
2014-06-12: Vendor provides PGP key
2014-06-13: Sending encrypted advisory
2014-06-13: Vendor: will come back with further info
2014-06-24: Asking for status update
2014-07-02: Asking again for the status update, reminder regarding planned
            advisory release date
2014-07-09: Answer from vendor that draft response is created, will send
            approved version as soon as it's ready
2014-08-05: SEC Consult releases security advisory


Solution:
- ---------
The vendor did not provide any patch information.


Workaround:
- -----------
No workaround available.


Advisory URL:
- -------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF J. Greil / @2014

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJT4IzQAAoJECyFJyAEdlkK/vcH/3u4nIke9Mm6Oqntf01sCFer
V2cGP1VujKfrKq2xE0tfCywHVBPS++A0RQAcdkdWhqmUvbhdsHEplr51WQhuNefW
9z7ety8grITR7vfsZhYM4pgLIt2GD0Wby0V9Wu8LzjgD4Fty9k5gvrEupqMsK0eN
GOMa9cjciUrjnEwy7EqSKgv8eJttDdS1ncbKWI8Bkhi3htc/i2iLpiBXYBgR8RuW
xqHVtU2xHMkwb8Nrso1fAmqv3H/YLd0rodFXsF7cK6453FiuWNs40apANPt1naJy
v6cZczfWSk0EYF6RgPCKeVyJU2YKSnWDwGYESfx4Gaf8Kn180gjRHTYsDUM7R4o=
=1HyM
-----END PGP SIGNATURE-----