lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAATS1p8aOT554Aur201y5X5WYWyEO4ay0wKrNTEnbJ9XPCHENw@mail.gmail.com> Date: Tue, 4 Apr 2017 17:37:52 +1000 From: Patrick Webster via Fulldisclosure <fulldisclosure@...lists.org> To: fulldisclosure@...lists.org Subject: [FD] Kaseya VSA 6.5 Parameter Reflected XSS, Enumeration and Bruteforce Weakness https://www.osisecurity.com.au/kaseya-parameter-reflected-xss-enumeration-and-bruteforce-weakness.html Date: 04-Apr-2017 Software: Kaseya Affected version: Kaseya VSA v6.5.0.0. Vulnerability details: 1. The "forgot password" function at https://[target]/access/logon.asp reveals whether a username is valid/exists or not, which assists with brute force attacks. An incorrect username responds with “No record of this user exists”, where a valid username returns “The system emailed you a link. Visit it to change your password.” This makes it much easier to brute force accounts. 2. The password reset URL, such as https://[target]/access/resetAccount.asp?id=26756180, is not significantly complex to prevent brute force attacks. The software should use a GUID (5.3×10^36 combinations) globally unique value instead to prevent brute force. The server response permits data matching to ascertain whether a guessed id value is valid or not. 3. The URL at https://[target]/access/accessRoot.asp?page=logon.asp contains a cross-site scripting vulnerability. Authentication cookies may be stolen or malicious HTML or JavaScript etc injected to abuse the client web browser. Examples: https://[target]/access/accessRoot.asp?page=http://www.osisecurity.com.au/ https://[target]/access/accessRoot.asp?page=javascript:alert(document.cookie);/ References: http://help.kaseya.com/webhelp/EN/RN/index.asp#30773.htm Credit: Vulnerability discovered by Patrick Webster Disclosure timeline: 20-Aug-2014 - Discovered during audit. 24-Aug-2014 -Sent to vendor. 25-Aug-2014 - Vendor response. 15-Oct-2014 - Vendor partially patched. Additional fixes due in 2 weeks. version 6.5.0.22+. 04-Apr-2017 - Public disclosure. About OSI Security: OSI Security is an independent network and computer security auditing and consulting company based in Sydney, Australia. We provide internal and external penetration testing, vulnerability auditing and wireless site audits, vendor product assessments, secure network design, forensics and risk mitigation services. We can be found at http://www.osisecurity.com.au/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists