[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SYSS-2015-046] sysPass - Insecure Direct Object References (CWE-932)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2015-046
Product: sysPass
Manufacturer: http://cygnux.org/
Affected Version(s): 1.0.9 and below
Tested Version(s): 1.0.9
Vulnerability Type: Insecure Direct Object References (CWE-932)
                    Exposure of Backup File to an Unauthorized Control
                    Sphere (CWE-530)
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2015-06-10
Solution Date: 2015-10-26
Public Disclosure: 2015-12-07
CVE Reference: Not yet assigned
Author of Advisory: Daniele Salaris (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

sysPass is an web-based Password Manager written in PHP and Ajax with a
built-in multiuser environment.

The web application is prone to a security vulnerability that allows an
unauthorized attacker to download existing backup files containing
sensitive data.

The software manufacturer describes the web application as follows
(see [1]):

"sysPass is a web password manager written in PHP that allows the
password management in a centralized way and in a multiuser environment.
The main features are:

* HTML5 and Ajax based interface
* Password encryption with AES-256 CBC.
* Users and groups management.
* Advanced profiles management with 16 access levels.
* MySQL, OpenLDAP and Active Directory authentication.
* Activity alerts by email.
* Accounts change history.
* Accounts files management.
* Inline image preview.
* Multilanguage.
* Links to external Wiki.
* Portable backup.
* Action tracking and event log.
* One-step install process."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The backup functionality of the web-based password manager sysPass
creates the following two backup files that are stored within the
application's backup folder:

* sysPass_db.sql
* sysPass.tar.gz

The file sysPass_db.sql contains a full database dump and the file
sysPass.tar.gz contains all contents of the sysPass web application
folder.

An unauthorized attacker can simply download these two existing backup
files via the following URLs:

http(s)://<HOST>/backup/sysPass_db.sql
http(s)://<HOST>/backup/sysPass.tar.gz

Thus, an external attacker without valid user credentials can gain
unauthorized access to all configuration and application data of the
password manager sysPass. With access to this data, an attacker can
perform further attacks in order to recover user credentials of sysPass
users or to decrypt encrypted password information contained within the
database.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following URLs can be used to download existing backup files of the
password manager sysPass from an external attacker's perspective:

http(s)://<HOST>/backup/sysPass_db.sql
http(s)://<HOST>/backup/sysPass.tar.gz

For example:

http://syspass.org/demo/backup/sysPass_db.sql
http://syspass.org/demo/backup/sysPass.tar.gz

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The reported security vulnerabilities have been fixed in a new software
release. Update to the new software version.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-06-08: Vulnerability discovered
2015-06-10: Vulnerability reported to manufacturer
2015-10-26: Release of new software version that addresses the reported
            security issues. Discussed security fix with manufacturer.
2015-12-07: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Web site of sysPass - sysadmin password manager
    http://wiki.syspass.org/en/start
[2] SySS Security Advisory SYSS-2015-046
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-046.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Daniele Salaris of the SySS GmbH.

E-Mail: disclosure (at) syss.de
Key fingerprint = E135 4E23 6091 A85C 9E14 577A 28DF B3A7 0A98 A9D4

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may 
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web 
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJWZTiTAAoJECjfs6cKmKnUhucP/3VqXYMAvJtSbbbHwsZyh0Td
T9LtezrGtZeZze4CAMcfJvUZO9/wiDbdDsaEAV2UXrYDvA8f9rXJleJGS0Zrggwx
ktKMN09N/GH0PohrPI4+JFFE6Eolmhlf5PkVRFU8X8Z9orqD8s8NqcHg8P4e5FJy
Dey/+SD9SlbH/ICjxlkjaGXOlCqSHT3mQqhALaKSwikUN3v/YlzVaYwGnUwsYsVt
arZTqKf6c2Sk8LAwZTWLbm6EB/FxuATObV+tblHd/KOcaDhmp0ykL8r1Mve/XQTw
NX3aH9yXoRcpHjCSFa6QK89d4dY4Pv9ejpyMATcYmbLa4hEMZ421cAkJuFobHiCg
MtlHXcVhNn7K+8ogxFk5EKyMEIRYUWqsmh6ZfW9F1qJ5jVezqjYdCmPdUeHlZ66u
Mk2ikWNu3IkSv0fQy0HVzEvzHlbgzWYvWVaLCVwwS9s4JZTDvKF9E+xAeK2iC9Ul
OOM1RgYcY57dFL7M6dY6OpMM8xapbJHtYjEC8ammfc9rhRIHQO4evBXGufs5vmc0
hWHIRLuF4rx0bja4qAbxK6l+7lWdgaPSHDOW7I2v+NUdjvPKcjndsAOB9FiK+jhI
+Q09ybOMLEzICOlo3VhRwyaEc7X+HZRdTEijU3piV6nxKyhiCI2AVuMRKjJyV3pc
tz8Q0g6YqzlFi8VnPgSV
=YMqY
-----END PGP SIGNATURE-----