Re: Jiwa Financials - Reporting allows execution of arbitrary reports as SQL user with full permissions.
Secunia security advisory categorises it as "less critical" :
http://secunia.com/advisories/20342/
I'm not going to argue with experts - our categorisation of the risk
level stays as it is.
Original report (which has been edited) claimed it was a remote exploit
- this is false, and seems to have only been included in the report for
added sensationalism.
There is nothing sensational here.
The only vulnerability is that an authenticated user may be able to run
a Crystal Report which could possibly reveal sensitive information,
should they have the skills to construct such a report.
Only information at risk is the information contained within the Jiwa
database, nothing else - no other SQL database, no files on the
filesystem.
Bug # 4186 in our system addresses this report redirection
vulnerability.
As of 5pm, Thursday June 1st, 2006 a patch for this is available for customers
and dealers from our website, www.jiwa.com.au.
Password encryption is a todo feature logged way before this was
reported. No promise was made. My exact words were :
"...I don't like to comment on un-released products, as changes are
sometimes withdrawn before release, which can result in disappointment.
However, I feel some information on where we are heading may do
something to at least partially reassure you that we are making changes
to the security within the product..."
I then went on to cover a number of topics, including password
encryption, and provided a URL to our bug tracking database for Robert
to see all we were doing in the software.
Does a company which does not care provide someone like Robert with a
URL to their internal bug tracking database ?
Robert, I strongly suggest you remain factual in your reports in
future. We will not tolerate vexatious complaints or threats (care for
me to quote some of your emails to me, here in a public forum ?).