what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

MATESO GmbH Password Safe And Repository Enterprise 7.4.4 Build 2247 SQL Injection

MATESO GmbH Password Safe And Repository Enterprise 7.4.4 Build 2247 SQL Injection
Posted Apr 11, 2017
Authored by Matthias Deeg | Site syss.de

MATESO GmbH Password Safe and Repository Enterprise version 7.4.4 build 2247 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
SHA-256 | 9046651535626d2b33a64b0d5d4c33312e2e5842f722ec1cffb1649ca49e6f7b

MATESO GmbH Password Safe And Repository Enterprise 7.4.4 Build 2247 SQL Injection

Change Mirror Download
Hash: SHA512

Advisory ID: SYSS-2015-035
Product(s): Password Safe and Repository Enterprise
Manufacturer: MATESO GmbH
Affected Version(s): 7.4.4 Build 2247
Tested Version(s): 7.4.4 Build 2247
Vulnerability Type: Violation of Secure Design Principles (CWE-657)
SQL Injection (CWE-89)
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2015-07-09
Solution Date: 2016-10-18
Public Disclosure: 2017-04-10
CVE Reference: Not yet assigned
Author of Advisory: Matthias Deeg (SySS GmbH)



Password Safe and Repository Enterprise is a password management
software for companies with many features.

The vendor MATESO GmbH describes the product as follows (see [1]):

"Manage your passwords in the company according to your security needs!
Features such as password policies, multi-eyes principle, workflow and
task system makes management productive and safe.

The integrated rights management system with data transfer option and
automatic synchronization with Active Directory ensures that your
employees can only access data which they are entitled to."


Vulnerability Details:

SySS GmbH found out that the password management software Password Safe
and Repository Enterprise violates secure design principles and
insufficiently implements user input validation concerning database
access via SQL statements.

These vulnerabilities enable an attacker to manipulate SQL statements
on the client side using a "malicious client" in order to perform
privilege escalation attacks or to gain authorized read and write
access to other user's data.

Different SQL statements that are created on the client side in the
context of different functionalities of the password management client
software can be manipulated and thus exploited for such attacks.

These vulnerabilities both affect the online and the offline mode of the
password management software, but there may be different requirements
for a successful exploitation like valid user credentials.


Proof of Concept (PoC):

1) Privilege escalation by retrieving information of another user

In order to perform a privilege escalation attack in the online mode
of the password management software Password Safe and Repository
Enterprise from the perspective of an authorized low-privileged user,
the parameter "ID" of the following SQL statement simply has to be


This SQL statement is used by the client software in the online mode for
retrieving user information from the server system after a successful
user login. If the parameter "ID" is set to a valid user ID of another
existing user, for example the built-in administrator account who has
usually the user ID 1, the application can be used with the privileges
of the user with the chosen user ID.

2) Privilege escalation by setting new user rights

Another possibility to perform a privilege escalation attack in the
online mode from the perspective of a low-privileged user is to
manipulate the following SQL statement that is used to update the
user's last login date:

UPDATE tdUsers SET LastLogin = julianday('<DATE>'), ChangeDate =
julianday('<DATE>') WHERE ID = <USER ID>

By replacing this UPDATE SQL statement by the following one, the user
rights of an arbitrary user can be modified, for example by setting
all available rights:

UPDATE tdUsers SET UserRights =
'11111111111111111111111111111111111111111111111111' WHERE ID = <USER ID>



The MATESO GmbH released the new software version Password Safe and
Repository Enterprise 8 that is not affected by the described security

Please contact the manufacturer for further information or support.


Disclosure Timeline:

2015-07-09: Vulnerability reported to manufacturer
2015-07-09: Manufacturer acknowledges e-mail with SySS security advisory

2015-07-30: Scheduling of the publication date in agreement with the
2015-10-02: Rescheduling of the publication date in agreement with the
2016-10-18: Manufacturer presents new software version with fixed
security issues
2017-04-10: Public release of security advisory



[1] Product website for Password Safe and Repository Enterprise
[2] SySS Security Advisory SYSS-2015-035

[3] SySS Responsible Disclosure Policy



This security vulnerability was found by Matthias Deeg of SySS GmbH.

E-Mail: matthias.deeg (at) syss.de
Public Key:
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB



The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web



Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en



Login or Register to add favorites

File Archive:

November 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    1 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    0 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    219 Files
  • 14
    Nov 14th
    19 Files
  • 15
    Nov 15th
    66 Files
  • 16
    Nov 16th
    38 Files
  • 17
    Nov 17th
    9 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    11 Files
  • 22
    Nov 22nd
    56 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    36 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    14 Files
  • 28
    Nov 28th
    30 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By