Possible illegal file access In Acuma's Acusend - 24th October 2002 Overview: Acusend is a leading report portal product from Acuma (www.acuma.co.uk). Acusend allows organisations to collect and collate information from a diverse range of sources and present it via a uniform web interface. Acusend is widely deployed in Government, Education and Aerospace industries. During a penetration test of a client's network, Sec-Tec (www.sec-tec.co.uk) has discovered that it is possible for an authenticated user to access reports belonging to other users if the full URL to the report is known. Although the full URLs may appear to be random, certain factors such as time and date are sometimes used as part of the URL structure , thereby greatly reducing entropy. Release of this information has been withheld awaiting a corrected version from Acuma. Affected Versions: Version 4, possibly previous (although not tested). Recommended Action: The vendor states that the issue is rectified in the latest version. Released By: David Wray, Sec-Tec Ltd (www.sec-tec.co.uk) Thanks: Sec-Tec would like to thank Acuma for their co-operation and swift response. ________________________________________________________________________ Sec-Tec Ltd, CLAS Government certified specialists in information security professional services. Visit http://www.sec-tec.co.uk for more information on our services. This e-mail has been scanned for possible virus contamination. However, we recommend that all recipients also scan this message.
