---------------------------------------------------------------------- IRM Security Advisory No. 013 Ultraapps Issue Manager is vulnerable to Privilege Escalation Vulnerablity Type / Importance: Privilege Escalation / High Problem discovered: November 25th 2005 Vendor contacted: November 25th 2005 Advisory published: December 20th 2005 ---------------------------------------------------------------------- Abstract: Utraapps Issue Manager is a freely available web-based business application for tracking issues and tasks during software development or other projects involving teams of people. The service is vulnerable to a privilege escalation attack that would enable a standard user to log into the application as an administrator. Description: The vulnerability enables a low privileged user to modify the password of the administrator account and therefore escalate privileges. The details of the vulnerability are shown below: In the test configuration there are 2 users: admin/admin guest/guest Log on as a guest and visit the "My profile" link: http://xxx.xxx.xxx.xxx/UserProfile.aspx Intercept the request using a web proxy and change the field 'p_User_user_id' and 'User_user_id' from 2 (which is the guest id) to 1 (which is the administrator id) Also, modify the password in the 'User_pass' field. The user can now log into the admin account with the new password. The vulnerability is located in the file UserProfile.cs, lines 273-275 if (p_User_user_id.Value.Length > 0) { sWhere = sWhere + "user_id=" + CCUtility.ToSQL(p_User_user_id.Value, CCUtility.FIELD_TYPE_Number); } Tested Versions: Ultraapps Issue Manager V2.1 Tested Operating Systems: Microsoft Windows 2000 Vendor & Patch Information: Contact was initially made via email on November 25th 2005. HOwever, no response was received. A bug report was then submitted to the Ultraapps website on December 13th 2005. On December 20th, a patch for the issue was published on the site (http://www.ultraapps.com) Workarounds: IRM are not aware of any workarounds for this issue. Credits: Research & Advisory: Rodrigo Marcos and Andy Davis Disclaimer: All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information. A copy of this advisory may be found at: http://www.irmplc.com/advisories.htm ---------------------------------------------------------------------- Information Risk Management Plc. Kings Building, Smith Square, London, United Kingdom SW1P 3JJ +44 (0)207 808 6420
