In-Reply-To: <20030529052621.31678.qmail@www.securityfocus.com> The following can be taken as an official response from the vendor: M-Tech Information Technology, Inc. (http://mtechIT.com/) to this "vulnerability:" 1) The actual risk of these issues to production deployments of P-Synch is nil, as users do not normally, or in our experience ever, access P-Synch by clicking a URL on a third-party web server. Cross-site scripting attacks only affect the web browser of users who click a maliciously-constructed URL to a valid application URL, and this mode of attacking user browsers is simply not relevant to a normal P-Synch deployment. Users access P-Synch in one of several ways, none of which expose their browser to cross-site scripting attacks: a) By typing a well known URL, such as "password" in their browser, and relying on the DNS infrastructure of their organization (e.g., password --> password.acme.com --> P-Synch server). b) By triggering transparent password synchronization with a native password change on some system (and where no browser is involved). c) Using an IVR system and telephone (again, no browser). d) By clicking on a link to P-Synch on their corporate Intranet, which is highly unlikely to be compromised by a mangled URL. 2) A fix for both issues has been available to M-Tech customers for some time. Despite extremely low risk, M-Tech was already aware, in particular of the path disclosure issue, and had already resolved it. 3) Path disclosure is trivial in this case. The fact that P-Synch was installed on "C:\Program Files\P-Synch" is hardly sensitive and security through obscurity is obviously a falsehood. The P-Synch application is hardened, and knowledge on the part of an intruder that the software is installed in a given directory, on a machine that should in normal deployments have no filesystem shares or other remote access mechanisms, is meaningless. 4) The contents of the filesystem of the P-Synch server are not affected. For example, issuing a URL such as: http://demobox/demo/psdemo/nph-psf.exe?css=c:\test.dat will simply cause a web browser that follows this link to get an HTML page that includes the text: <style type="text/css" media="all"> @import "c:\test.dat"; </STYLE> The original poster never made an effort to notify M-Tech of the "discovered vulnerability," and does not have a legitimate copy of P-Synch (presumably because he refused to sign a license agreement which many customers and prospects sign daily to get a free evaluation copy of the software). As there are extremely few P-Synch deployments facing the Internet, it is very unlikely that the poster "came across" P-Synch by accident. Customers and prospects are encouraged to contact M-Tech for more detailed information about this issue, and to download patches if they feel the vulnerability is worth addressing. >Received: (qmail 11684 invoked from network); 30 May 2003 05:14:47 -0000 >Received: from outgoing3.securityfocus.com (205.206.231.27) > by mail.securityfocus.com with SMTP; 30 May 2003 05:14:47 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing3.securityfocus.com (Postfix) with QMQP > id B59A3A313B; Thu, 29 May 2003 23:10:31 -0600 (MDT) >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraq@securityfocus.com> >List-Help: <mailto:bugtraq-help@securityfocus.com> >List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> >List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Received: (qmail 21185 invoked from network); 29 May 2003 04:59:28 -0000 >Date: 29 May 2003 05:26:21 -0000 >Message-ID: <20030529052621.31678.qmail@www.securityfocus.com> >Content-Type: text/plain >Content-Disposition: inline >Content-Transfer-Encoding: binary >MIME-Version: 1.0 >X-Mailer: MIME-tools 5.411 (Entity 5.404) >From: JeiAr <jeiar@kmfms.com> >To: bugtraq@securityfocus.com >Subject: Multiple Vulnerabilities In P-Synch Password Management > > > >Multiple Vulnerabilities In P-Synch Password Management >------------------------------------------------------- >The other night I came across a server running P-Synch. >I had never heard of it so i was curious to poke around >on it a bit. Within an hour i found the vulns listed below. >Im pretty sure there are other more serious vulns in >P-Synch, but they are very picky about who they give thier >software to, even an evaluation version. So was not able >to test any further. However i encourage any admins running >P-Synch to poke around on it, just to be on the safe side. > > > >Description >------------------------------------------------------- >P-Synch Total Password Management Solution >by M-TECH >P-Synch is a total password management solution. It is >intended to reduce the cost of ownership of password systems, >and simultaneously improve the security of password protected >systems. This is done through: -Password Synchronization. >-Enforcing an enterprise wide password strength policy. >-Allowing authenticated users to reset their own forgotten >passwords and enable their locked out accounts. -Streamlining >help desk call resolution for password resets. P-Synch is >available for both internal use, on the corporate Intranet, >as well as for the Internet deployment in B2B and B2C >applications. > >http://www.securityfocus.com/products/837 > > > >Problems >------------------------------------------------------- >All of these problems are simple, self explanatory vulns >so, i'm sure the below examples will speak for themselves. >Once again this application was NOT thoroughly researced. >So anyone with a copy of P-Synch might wanna explore it >further. > > > >Path Disclosure Vulnerability >------------------------------------------------------- >https://path/to/psynch/nph-psa.exe?lang= >https://path/to/psynch/nph-psf.exe?lang= > > >Code Injection Vulnerability >------------------------------------------------------- >https://path/to/psynch/nph-psf.exe?css=";>[VBScript, JScript etc] >https://path/to/psynch/nph-psa.exe?css=";>[VBScript, JScript etc] > > >File Include Vulnerability >------------------------------------------------------- >https://path/to/psynch/nph-psf.exe?css=http://somesite/file >https://path/to/psynch/nph-psa.exe?css=http://somesite/file > > > >Credits >------------------------------------------------------- >All credits go to JeiAr of GulfTech Computers and CSA >Security Research http://www.gulftech.org >
