https://www.osisecurity.com.au/kaseya-parameter-reflected-xss-enumeration-and-bruteforce-weakness.html Date: 04-Apr-2017 Software: Kaseya Affected version: Kaseya VSA v6.5.0.0. Vulnerability details: 1. The "forgot password" function at https://[target]/access/logon.asp reveals whether a username is valid/exists or not, which assists with brute force attacks. An incorrect username responds with “No record of this user exists”, where a valid username returns “The system emailed you a link. Visit it to change your password.” This makes it much easier to brute force accounts. 2. The password reset URL, such as https://[target]/access/resetAccount.asp?id=26756180, is not significantly complex to prevent brute force attacks. The software should use a GUID (5.3×10^36 combinations) globally unique value instead to prevent brute force. The server response permits data matching to ascertain whether a guessed id value is valid or not. 3. The URL at https://[target]/access/accessRoot.asp?page=logon.asp contains a cross-site scripting vulnerability. Authentication cookies may be stolen or malicious HTML or JavaScript etc injected to abuse the client web browser. Examples: https://[target]/access/accessRoot.asp?page=http://www.osisecurity.com.au/ https://[target]/access/accessRoot.asp?page=javascript:alert(document.cookie);/ References: http://help.kaseya.com/webhelp/EN/RN/index.asp#30773.htm Credit: Vulnerability discovered by Patrick Webster Disclosure timeline: 20-Aug-2014 - Discovered during audit. 24-Aug-2014 -Sent to vendor. 25-Aug-2014 - Vendor response. 15-Oct-2014 - Vendor partially patched. Additional fixes due in 2 weeks. version 6.5.0.22+. 04-Apr-2017 - Public disclosure. About OSI Security: OSI Security is an independent network and computer security auditing and consulting company based in Sydney, Australia. We provide internal and external penetration testing, vulnerability auditing and wireless site audits, vendor product assessments, secure network design, forensics and risk mitigation services. We can be found at http://www.osisecurity.com.au/