-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SEC Consult Vulnerability Lab Security Advisory < 20140805-0 > ======================================================================= title: Multiple vulnerabilities product: Readsoft Invoice Processing / Process Director vulnerable version: Invoice Servicepack 5.6, Process Director 7.2 fixed version: - impact: Critical homepage: http://www.readsoft.com found: 2014-02-27 by: J. Greil, M. Hofer, B. Kopp SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: - --------------------------- "ReadSoft has been a pioneer in P2P invoice automation since the 1990s, when the company first brought free-form technology for invoice processing to market. Today, ReadSoft continues to be a global leader in business document process automation, with 2,500+ accounts payable solution applications worldwide - more than double the total applications of all major competitors put together." URL: http://www.readsoft.com/about-us/who-we-are Business recommendation: - ------------------------ Vulnerabilities have been identified that are based on severe design flaws in the application. It is highly recommended by SEC Consult not to use this software until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: - ----------------------------------- 1) Reflected & stored Cross-Site Scripting An unauthenticated user is able to perform Cross-Site Scripting attacks e.g. create relogin Trojan Horses or steal session cookies in the context of the affected web application "Process Director". Over 120 XSS issues have been identified and it is assumed that many more exist. Attackers are able to take over other user accounts and potentially gain access to invoice data or other sensitive data. 2) Critical design issues The Readsoft Invoice Processing software e.g. contains the tools / software products "Manager", "Verify" or "Optimize". Those programs are usually stored/installed locally on the user's system. They contain configuration files that point to the global configuration which is stored on a file server in a multi-user environment and accessed via network shares. The software then reads this global configuration file which contains user accounts and passwords (some of them in cleartext!) for other integrated systems such as SAP or database connections. The client program also connects to the database with a high-privileged user and access rights are managed locally on the client! All users of the software suite must be able to access this network share with full access rights (read/write) in order for the program to work properly. Therefore, attackers can not only gain access to sensitive data such as passwords in cleartext (SAP backend connection, database), scanned invoices, log & licensing files etc. but potentially manipulate configuration files / invoices or replace existing executables with malicious code. Proof of concept: - ----------------- 1) Reflected & stored Cross-Site Scripting The following URLs are only an example of vulnerable functionality which can be exploited without authentication. Over 120 different issues have been identified during the crash test: [ Proof of concept details removed as no patch is available ] 2) Critical design issues The file "..." contains configuration parameters for the SAP and also database backend connections. The SAP password is stored in cleartext. The database password is encrypted which can easily be retrieved by using a debugger (method [...] in [...].dll). Anti-debugging mechanisms can be circumented by patching the application. The database user needs full access rights to the database as the rights management is done on the client. The user account information is stored in the table "[...]". Vulnerable / tested versions: - ----------------------------- The vulnerability has been verified to exist in Invoice Servicepack 5.6 & Process Director 7.2, which was the most recent version at the time of discovery. Vendor contact timeline: - ------------------------ 2014-06-03: Requesting security contact via online contact form (no security contact or other suitable email addresses found online) 2014-06-06: (no reply) Sending email to info@, info-de@ and CTO of Readsoft Attaching responsible disclosure policy & encryption keys 2014-06-12: Asking again for a security contact 2014-06-12: Vendor provides PGP key 2014-06-13: Sending encrypted advisory 2014-06-13: Vendor: will come back with further info 2014-06-24: Asking for status update 2014-07-02: Asking again for the status update, reminder regarding planned advisory release date 2014-07-09: Answer from vendor that draft response is created, will send approved version as soon as it's ready 2014-08-05: SEC Consult releases security advisory Solution: - --------- The vendor did not provide any patch information. Workaround: - ----------- No workaround available. Advisory URL: - ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF J. Greil / @2014 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJT4IzQAAoJECyFJyAEdlkK/vcH/3u4nIke9Mm6Oqntf01sCFer V2cGP1VujKfrKq2xE0tfCywHVBPS++A0RQAcdkdWhqmUvbhdsHEplr51WQhuNefW 9z7ety8grITR7vfsZhYM4pgLIt2GD0Wby0V9Wu8LzjgD4Fty9k5gvrEupqMsK0eN GOMa9cjciUrjnEwy7EqSKgv8eJttDdS1ncbKWI8Bkhi3htc/i2iLpiBXYBgR8RuW xqHVtU2xHMkwb8Nrso1fAmqv3H/YLd0rodFXsF7cK6453FiuWNs40apANPt1naJy v6cZczfWSk0EYF6RgPCKeVyJU2YKSnWDwGYESfx4Gaf8Kn180gjRHTYsDUM7R4o= =1HyM -----END PGP SIGNATURE-----