Re: Multiple vulnerabilities in TietoEnator's Procapita school administration system, at least version

To: bugtraq@xxxxxxxxxxxxxxxxx, pelzi@xxxxxxxxx
Subject: Re: Multiple vulnerabilities in TietoEnator's Procapita school administration system, at least version
From: Juha-Matti Laurio <juha-matti.laurio@xxxxxxxx>
Date: Sun, 6 Jul 2008 23:10:46 +0300 (EEST)
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

The vendor Nextime Solutions has informed about the release of upcoming bugfix 
version this week.

The company VP has stated that the test process of fixed version is started and 
a fixed version will be delivered to customers before a new academic term.

TietoEnator sold its education business in Finland to Nextime Solutions Oy on 
1st Jan 2008.

Vendor's response and information about the bugfix timeline was covered in 
local IT news (in Finnish):
http://www.tietoviikko.fi/doc.do?f_id=1381983

Juha-Matti

pelzi@xxxxxxxxx wrote:

Product: Procapita (school administration system)
Vendor: TietoEnator Abp
Vulnerable versions: unknown
Impact: high
Found: months ago

The login screens of the school administration database system, "login.asp" and "inloggning.asp", as used in an unnammed school district in Finland, contain SQL injection vulnerabilities, which can be easily detected by inserting '||' (the oracle string concatenation operator and ending and starting quotes) within a valid password or username (they still work), or adding an odd number of quotes (resulting in an exception). The "input validation" in JavaScript must be "defeated" first - there is no signs of any validation done server side.

The program also contains other SQL injection vulnerabilities in text fields 
etc. accessible after login - especially ones that are used to search for 
information, which may allow compromise of sensitive personal information in 
the database via injection to a SELECT query.

The program prints exception handlers to the browser, including Oracle database 
error strings.

The session cookie lacks the 'secure' flag, and if a logged-in user clicks a 
link with the http: scheme (such links exist in the school district's web 
pages) the cookie will be sent in plain text.

The session cookie is not tied to the visitor's IP address.

The program contains pages that automatically print themselves using JavaScript, leading 
to possible unintended printing of private information to a network printer since users 
are accustomed to clicking "OK".

The program gives the user no way of changing the password or disabling the 
login. The un-changeable password generated by the system is alphanumeric and 
only six characters.

The versioning of the program is so vague (the pages have either no version 
information at all or conflicting information) that it is impossible to say 
which versions are vulnerable, especially since I have no access to multiple 
installations, any docs or source.

The vulnerabilities have been reported to the vendor when they were found.

Exploits: None known

Fix: Modify code to properly sanitize user input server side.

Prev by Date: [oCERT-2008-007] libpoppler uninitialized pointer
Next by Date: [ GLSA 200807-03 ] PCRE: Buffer overflow
Previous by thread: [oCERT-2008-007] libpoppler uninitialized pointer
Next by thread: [ GLSA 200807-03 ] PCRE: Buffer overflow
Index(es):
- Date
- Thread