usd-2018-0014 | Lexware Professional 2017/Version 17.02


Advisory ID: usd-2018-0014
CVE Number: N/A
Affected Product: Lexware Professional 2017
Affected Version: Version 17.02
Vulnerability Type: Improper Access Control
Security Risk: Critical
Vendor URL: https://shop.lexware.de/reisekosten-abrechnung
Vendor Status: Fixed

Description

Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of the user.

The default database credentials (Advisory-ID: usd20180013) also provide the possibility to read and manipulate sensitive data stored in the database. The key among these sensitive data, and plausibly the one with maximum lateral hopping possibility, being the ability to read user ids and encrypted passwords of all registered users, including that of the Supervisor. Furthermore, the database allows access to individual users through user id and the encrypted password. Thus, with knowledge of a user id and the associated password, more connections to the database can be established.

The vulnerability, in all its simplicity, can be stated as the ability to read obtain encrypted passwords of all users and utilize the same to obtain further access to the database

Proof of Concept (PoC)

Screenshort attached to advisory, showing gained user credentials.

Fix

https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html

Credits

This security vulnerabilities were found by Sebastian Puttkammer of usd AG.