| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 10 Sep 2012 22:38:11 +0200 From: Tomas Rzepka <tomas@...tezza.net> To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk> Subject: Re: Authentication flaw in APS-Soft DTE Axiom (CVE-2012-2455) Hello list, It has come to my attention that this vulnerability disclosure has been misinterpreted by some. 12.3.3 is NOT affected by this vulnerability! Best regards, Tomas Rzepka -----Original Message----- From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Tomas Rzepka Sent: den 6 september 2012 16:56 To: full-disclosure@...ts.grok.org.uk Subject: [Full-disclosure] Authentication flaw in APS-Soft DTE Axiom (CVE-2012-2455) Release date: 2012-09-06 Discovered by: Tomas Rzepka, Certezza AB, http://www.certezza.net Vendor: Advanced Productivity Software (http://www.aps-soft.com) Versions Affected: Versions prior 12.3.3 Type: Authentication Severity: High CVSS Base Score: 8.5 (AV:N/AC:L/Au:N/C:C/I:P/A:N) CVE: CVE-2012-2455 ---------------- Description ---------------- In a penetration test we discovered a security flaw in DTE Axiom Mobile Solution. The security vulnerability can cause customers loss of sensitive data, such as usernames, customer relations and projects. Advanced Productivity Software DTE Axiom has a server application that can be published on the Internet to give users of iPhone/iPad and Black Berry access to the time tracking system. User is deployed by enabling the feature on each user in the backend administration. The user gets an e-mail from the system which contains two links. One link to download the application (from Apple AppStore). The other link is to feed the smart phone application with configuration such as server address, username, database and registration ID (GUID). The application communicates with the server over HTTPS. Although the application has a registration ID to identify each device it is never used. By posting applicable HTTP parameters to the application server, anyone with knowledge how the application works can extract and alter information about users, customers, projects, etc., without being authenticated to the server. We only had access to an iPhone/iPad device so we could not test the Black Berry functionality and it does not use the same API. The security issue does not exist in the Black Berry API according to the vendor. ---------------- Mitigation ---------------- Vendor has released a new version (12.3.3) which fixes this specific issue. ---------------- Timeline ---------------- 2012-05-07: Vendor disclosures 2012-05-07: Vendor response 2012-09-04: Fix released 2012-09-06: Public disclosure _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists