IRM 013: Ultraapps Issue Manager is vulnerable to Privilege Escalation
----------------------------------------------------------------------
IRM Security Advisory No. 013
Ultraapps Issue Manager is vulnerable to Privilege Escalation
Vulnerablity Type / Importance: Privilege Escalation / High
Problem discovered: November 25th 2005
Vendor contacted: November 25th 2005
Advisory published: December 20th 2005
----------------------------------------------------------------------
Abstract:
Utraapps Issue Manager is a freely available web-based business
application for tracking issues and tasks during software development
or other projects involving teams of people. The service is vulnerable
to a privilege escalation attack that would enable a standard user to
log into the application as an administrator.
Description:
The vulnerability enables a low privileged user to modify the password
of the administrator account and therefore escalate privileges. The details
of the vulnerability are shown below:
In the test configuration there are 2 users:
admin/admin
guest/guest
Log on as a guest and visit the "My profile" link:
http://xxx.xxx.xxx.xxx/UserProfile.aspx
Intercept the request using a web proxy and change the field
'p_User_user_id' and 'User_user_id' from 2 (which is the guest id) to 1
(which is the administrator id)
Also, modify the password in the 'User_pass' field.
The user can now log into the admin account with the new password.
The vulnerability is located in the file UserProfile.cs, lines 273-275
if (p_User_user_id.Value.Length > 0) {
sWhere = sWhere + "user_id=" + CCUtility.ToSQL(p_User_user_id.Value,
CCUtility.FIELD_TYPE_Number);
}
Tested Versions:
Ultraapps Issue Manager V2.1
Tested Operating Systems:
Microsoft Windows 2000
Vendor & Patch Information:
Contact was initially made via email on November 25th 2005. HOwever, no
response was received. A bug report was then submitted to the Ultraapps
website on December 13th 2005. On December 20th, a patch for the issue
was published on the site (http://www.ultraapps.com)
Workarounds:
IRM are not aware of any workarounds for this issue.
Credits:
Research & Advisory: Rodrigo Marcos and Andy Davis
Disclaimer:
All information in this advisory is provided on an 'as is'
basis in the hope that it will be useful. Information Risk Management
Plc is not responsible for any risks or occurrences caused
by the application of this information.
A copy of this advisory may be found at:
http://www.irmplc.com/advisories.htm
----------------------------------------------------------------------
Information Risk Management Plc.
Kings Building,
Smith Square, London,
United Kingdom
SW1P 3JJ
+44 (0)207 808 6420