The reporting function in Jiwa Financials 6.4.14 allows execution of arbitrary reports as SQL user with full SELECT, INSERT, UPDATE, DELETE SQL permissions.
ffe8d4a8b44066cc603685aa27447d14660b26131db8ab89620c95ae20d898cfThis message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C682DE.E470AB1C
Content-Type: text/plain
Date: 28/5/2006
Product: Jiwa Financials 6.4.14 - http://www.jiwa.com.au/
Vulnerability: Reporting allows execution of arbitrary reports as SQL user
with full SELECT, INSERT, UPDATE, DELETE SQL permissions.
Product Background
---------------------
On execution Jiwa Financials authenticates users against a username/password
database On a SQL server to access that users access level.
To do this it gets its SQL connection details from a .ini file located on
the users Application Data folder called Jiwalog.ini
The contents of the file are as follows:
[Connections]
Count=01
Connection01=<DatasourceName>,Z:\maininifile.ini
[Parameters]
LastSQLLogin=jiwauser
LastUserName=<last user>
LastConnectionODBC=<DatasourceName>
Within maininifile.ini it sets out the users menu amongst other things ie.
' Menu Start
'===========
ShowGST= 0
[Modules]
Count=09
Module001=Inventory,1
Module002=Debtors,2
Module003=Contacts,8
Module004=Sales Order Entry,3
Module005=Creditors,7
Module006=Purchase Orders,5
Module007=General Ledger,4
Module008=Monthly Reports,2
Module009=System,6
Ok so there's the main menu drawn for the user - note a standardized .ini
file for the entire site is common place
Placing all modules on the main menu and just restricting access per module
when one tries to access it.
Reporting
---------
When a user executes any menu option to run a report, it loads the report
module which is standard across the board and passes
To the reporting module, the report object that was listed on the menu the
user selected.
The report files are all Crystal Reports and are stored on a common mapped
network drive - generally J drive.
The full path and filename to the .rpt file is detailed on the screen in a
textbox with a command button to the right of it that
Allows the user to browse for another location or report - THIS INCLUDES ANY
OTHER MAPPABLE DRIVE AND THE LOCAL COMPUTER DRIVES
ie. The local My Documents for the evil user.
This is a feature apparently because it allows the users to specify
different report file versions etc
Ok now for the issue
--------------------
User logs into Jiwa Financials, goes into Sales Order Processing which is
standard for anyone that generates an invoice - ie. People working out on
the front desk selling products over the counter - not a staff level you
want to give access to your general ledger or anything else.
Create a blank crystal report file and point it at a Jiwa table called
HR_Staff for example.
Create the report using a dummy database.
The username, password and data source including database name is passed to
the report at runtime - all you need correct is the table name that you
could just get anyway from Systables...
Now because the guy that works at front counter - although having some
remote clue on how to use the Crystal Report Wizard - he doesn't have access
to save the .rpt file to the network drive with the other reports nor would
he want to because he may get caught that way so he either saves it to his
USB drive and it appears as a locally available drive.
He goes into his sales order report to look up a customers previous quote or
anything remotely using the reporting module - given the application does
pretty much everything output wise through different Crystal Reports, that's
pretty easy.
He then clicks the Command button to change the location of the .rpt file to
his USB Drive ie. E:\Evil_Jiwa_RPT\Userlist.rpt
He then selects "Print To Screen" to the left of the command button.
He then clicks the "Print Button" and waits for the few seconds it takes to
return EVERY JIWA USER'S USERNAME, CLEAR TEXT PASSWORD, FIRST NAME, SURNAME,
POSITION IN THE COMPANY AND OTHER DETAILS.
What has actually happened
--------------------------
Because the Jiwa application passes the username/password/data source
details directly to the .rpt file, it uses the same SQL user account that
the rest of the application uses that has full SELECT, INSERT, UPDATE,
DELETE AND DRI rights.
I could craft some SQL to select the table names out of the systables table
and then step through table by table and delete all.
Or I could simply add $10 to invoices, payments... I could even setup a new
creditor if I was determined enough to write the code, execute the report
once and just wait for the next cheque run!
Conclusion
----------
This applications technology leaves a lot to be desired.
When you execute the application, the login screen has "ActiveX Three Teir
Client Server" up the left hand side and "Client Server Accounting" written
horizontally above the username/password textbox's.
The only thing installed on the "SERVER" is Microsoft SQL Server and the
Jiwa Database plus a truckload of .rpt files which were obviously created
for remote exploitation.
In no way whatsoever is this application a three tier client server solution
and that is something the company refuses to accept.
All usernames and passwords are TRANSMITTED in clear text to the local SQL
Server ODBC driver from the application.
All usernames and passwords are STORED in clear text in the SQL Server
Database in the table HR_Staff
Not even simple base64 encoding has been used.
There is no administrative control over users menu options.
Far too many variables are available and changeable on the user end outside
the control of the network administrators.
There is no remote attempt to validate access to reports vs users seen in
any previous revisions I have seen and 6.4.14 is current.
Bottom line - if you have this application on your site - you are vulnerable
- at this stage there is no current patch.
Regards,
Robert Passlow
------_=_NextPart_001_01C682DE.E470AB1C
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"Street"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"address"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:Arial;
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>Date: 28/5/2006<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>Product: Jiwa Financials 6.4.14 -
http://www.jiwa.com.au/<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>Vulnerability: Reporting allows execution of
arbitrary reports as SQL user with full SELECT, INSERT, UPDATE, DELETE =
SQL
permissions.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>Product =
Background<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier =
New"'>---------------------<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>On execution Jiwa Financials authenticates =
users
against a username/password database On a SQL server to access that =
users
access level.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>To do this it gets its SQL connection =
details from a
.ini file located on the users Application Data folder called =
Jiwalog.ini<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>The contents of the file are as =
follows:<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>[Connections]<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>Count=3D01<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier =
New"'>Connection01=3D<DatasourceName>,Z:\maininifile.ini<o:p></o:p=
></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>[Parameters]<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier =
New"'>LastSQLLogin=3Djiwauser<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>LastUserName=3D<last =
user><o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier =
New"'>LastConnectionODBC=3D<DatasourceName><o:p></o:p></span></fon=
t></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>Within maininifile.ini it sets out the users =
menu
amongst other things ie.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>' Menu Start<br>
'=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
ShowGST=3D 0<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> <o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>[Modules]<br>
Count=3D09<br>
Module001=3DInventory,1<br>
Module002=3DDebtors,2<br>
Module003=3DContacts,8<br>
Module004=3DSales Order Entry,3<br>
Module005=3DCreditors,7<br>
Module006=3DPurchase Orders,5<br>
Module007=3DGeneral Ledger,4<br>
Module008=3DMonthly Reports,2<br>
Module009=3DSystem,6<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>Ok so there’s the main menu drawn for =
the user
– note a standardized .ini file for the entire site is common =
place<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>Placing all modules on the main menu and =
just
restricting access per module when one tries to access it.<o:p></o:p></s=
pan></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>Reporting<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>---------<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>When a user executes any menu option to run =
a
report, it loads the report module which is standard across the board =
and
passes<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>To the reporting module, the report object =
that was
listed on the menu the user selected.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>The report files are all Crystal Reports and =
are
stored on a common mapped network drive – generally J =
drive.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>The full path and filename to the .rpt file =
is
detailed on the screen in a textbox with a command button to the right =
of it
that<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>Allows the user to browse for another =
location or
report – THIS INCLUDES ANY OTHER MAPPABLE DRIVE AND THE LOCAL =
COMPUTER
DRIVES <o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>ie. The local My Documents for the =
evil user.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>This is a feature apparently because it =
allows the
users to specify different report file versions =
etc<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>Ok now for the =
issue<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>--------------------</span></font><font =
size=3D2
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'><o:p></o:p></span></font></=
p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:10.0pt;
font-family:"Courier New"'>User logs into Jiwa Financials, goes into =
Sales
Order Processing which is standard for anyone that generates an invoice =
–
ie. People working out on the front desk selling products over the =
counter
– not a staff level you want to give access to your general =
ledger or
anything else.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>Create a blank crystal report file and point =
it at a
Jiwa table called HR_Staff for example.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>Create the report using a dummy =
database.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>The username, password and data source =
including
database name is passed to the report at runtime – all you need =
correct
is the table name that you could just get anyway from =
Systables…<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>Now because the guy that works at front =
counter -
although having some remote clue on how to use the Crystal Report =
Wizard
– he doesn’t have access to save the .rpt file to the =
network drive
with the other reports nor would he want to because he may get caught =
that way
so he either saves it to his USB drive and it appears as a locally =
available
drive.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>He goes into his sales order report to look =
up a
customers previous quote or anything remotely using the reporting =
module -
given the application does pretty much everything output wise through =
different
Crystal Reports, that’s pretty easy.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>He then clicks the Command button to change =
the
location of the .rpt file to his <st1:Street w:st=3D"on"><st1:address =
w:st=3D"on">USB
Drive</st1:address></st1:Street> ie. =
E:\Evil_Jiwa_RPT\Userlist.rpt<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>He then selects “Print To =
Screen” to the
left of the command button.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>He then clicks the “Print =
Button” and
waits for the few seconds it takes to return EVERY JIWA USER’S =
USERNAME,
CLEAR TEXT PASSWORD, FIRST NAME, SURNAME, POSITION IN THE COMPANY AND =
OTHER
DETAILS.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>What has actually =
happened<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier =
New"'>--------------------------<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>Because the Jiwa application passes the =
username/password/data
source details directly to the .rpt file, it uses the same SQL user =
account
that the rest of the application uses that has full SELECT, INSERT, =
UPDATE,
DELETE AND DRI rights.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>I could craft some SQL to select the table =
names out
of the systables table and then step through table by table and delete =
all.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>Or I could simply add $10 to invoices,
payments… I could even setup a new creditor if I was determined =
enough to
write the code, execute the report once and just wait for the next =
cheque run!<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>=
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>Conclusion<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>----------<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>This applications technology leaves a lot to =
be
desired.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>When you execute the application, the login =
screen
has “ActiveX Three Teir Client Server” up the left hand =
side and
“Client Server Accounting” written horizontally above the
username/password textbox’s.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>The only thing installed on the =
“SERVER”
is Microsoft SQL Server and the Jiwa Database plus a truckload of .rpt =
files
which were obviously created for remote =
exploitation.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>In no way whatsoever is this application a =
three
tier client server solution and that is something the company refuses =
to
accept.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>All usernames and passwords are TRANSMITTED =
in clear
text to the local SQL Server ODBC driver from the =
application.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>All usernames and passwords are STORED in =
clear text
in the SQL Server Database in the table =
HR_Staff<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>Not even simple base64 encoding has been =
used.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>There is no administrative control over =
users menu
options.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>Far too many variables are available and =
changeable
on the user end outside the control of the network =
administrators.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>There is no remote attempt to validate =
access to
reports vs users seen in any previous revisions I have seen and 6.4.14 =
is
current.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>Bottom line – if you have this =
application on
your site – you are vulnerable – at this stage there is no =
current
patch.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>Regards,<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>Robert Passlow<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
</div>
</body>
</html>
------_=_NextPart_001_01C682DE.E470AB1C--
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed