usd-2018-0014 | Lexware Professional 2017/Version 17.02
Advisory ID: usd-2018-0014
CVE Number: N/A
Affected Product: Lexware Professional 2017
Affected Version: Version 17.02
Vulnerability Type: Improper Access Control
Security Risk: Critical
Vendor URL: https://shop.lexware.de/reisekosten-abrechnung
Vendor Status: Fixed
Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of the user.
The default database credentials (Advisory-ID: usd20180013) also provide the possibility to read and manipulate sensitive data stored in the database. The key among these sensitive data, and plausibly the one with maximum lateral hopping possibility, being the ability to read user ids and encrypted passwords of all registered users, including that of the Supervisor. Furthermore, the database allows access to individual users through user id and the encrypted password. Thus, with knowledge of a user id and the associated password, more connections to the database can be established.
The vulnerability, in all its simplicity, can be stated as the ability to read obtain encrypted passwords of all users and utilize the same to obtain further access to the database
Proof of Concept
Screenshort attached to advisory, showing gained user credentials.
This security vulnerabilities were found by Sebastian Puttkammer of usd AG.
ABOUT usd SECURITY ADVISORIES
In order to protect businesses against hackers and criminals, we always have to keep our skills and knowledge up to date. Thus, security research is just as important for our work as is building up a security community to promote the exchange of knowledge. After all, more security can only be achieved if many individuals take on the task.
Our CST Academy and our usd HeroLab are essential parts of our security mission. We share the knowledge we gain in our practical work and our research through training courses and publications. In this context, the usd HeroLab publishes a series of papers on new vulnerabilities and current security issues.
Always for the sake of our mission: „more security.“
In accordance with usd AG’s Responsible Disclosure Policy, all vendors have been notified of the existence of these vulnerabilities.
The information provided in this security advisory is provided „as is“ and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible.