[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Authentication flaw in APS-Soft DTE Axiom (CVE-2012-2455)

To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Authentication flaw in APS-Soft DTE Axiom (CVE-2012-2455)
From: Tomas Rzepka <tomas@xxxxxxxxxxxx>
Date: Thu, 6 Sep 2012 16:55:44 +0200

Release date: 2012-09-06
Discovered by: Tomas Rzepka, Certezza AB, http://www.certezza.net
Vendor: Advanced Productivity Software (http://www.aps-soft.com)
Versions Affected: Versions prior 12.3.3
Type: Authentication
Severity: High
CVSS Base Score: 8.5 (AV:N/AC:L/Au:N/C:C/I:P/A:N)
CVE: CVE-2012-2455

----------------
Description
----------------
In a penetration test we discovered a security flaw in DTE Axiom Mobile 
Solution.
The security vulnerability can cause customers loss of sensitive data, such as 
usernames, customer relations and projects.

Advanced Productivity Software DTE Axiom has a server application that can be 
published on the Internet to give users of iPhone/iPad and Black Berry access 
to the time tracking system. User is deployed by enabling the feature on each 
user in the backend administration. The user gets an e-mail from the system 
which contains two links. One link to download the application (from Apple 
AppStore). The other link is to feed the smart phone application with 
configuration such as server address, username, database and registration ID 
(GUID). The application communicates with the server over HTTPS.

Although the application has a registration ID to identify each device it is 
never used. By posting applicable HTTP parameters to the application server, 
anyone with knowledge how the application works can extract and alter 
information about users, customers, projects, etc., without being authenticated 
to the server. We only had access to an iPhone/iPad device so we could not test 
the Black Berry functionality and it does not use the same API. The security 
issue does not exist in the Black Berry API according to the vendor.

----------------
Mitigation
----------------
Vendor has released a new version (12.3.3) which fixes this specific issue.

----------------
Timeline
----------------
2012-05-07: Vendor disclosures
2012-05-07: Vendor response
2012-09-04: Fix released
2012-09-06: Public disclosure

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Authentication flaw in APS-Soft DTE Axiom (CVE-2012-2455)
  - From: Tomas Rzepka

Prev by Date: [Full-disclosure] [SECURITY] [DSA 2541-1] beaker security update
Next by Date: [Full-disclosure] HackIM - Delhi 2012 : Battle ON
Previous by thread: [Full-disclosure] [SECURITY] [DSA 2541-1] beaker security update
Next by thread: Re: [Full-disclosure] Authentication flaw in APS-Soft DTE Axiom (CVE-2012-2455)
Index(es):
- Date
- Thread