SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Acusend Vendors:   Acuma
Acuma Acusend Portal Access Control Bug Lets Remote Authenticated Users Obtain Reports of Other Users
SecurityTracker Alert ID:  1005487
SecurityTracker URL:  http://securitytracker.com/id/1005487
CVE Reference:   CVE-2002-1538   (Links to External Site)
Updated:  Oct 24 2003
Original Entry Date:  Oct 25 2002
Impact:   Disclosure of user information

Version(s): 4
Description:   An access control vulnerability was reported in Acuma's Acusend portal software. A remote authenticated user may obtain information belonging to other users.

Sec-Tec reported that a remote authenticated user that knows a full URL for another user's report can access the report. The full URLs are apparently non-random and may be guessed or possibly predicted.

Impact:   A remote authenticated user can obtain reports belonging to other users.
Solution:   The vendor has reportedly fixed the flaw. No information was available on the fixed version number or the method required to obtain the fix.
Vendor URL:  www.acumasoftware.co.uk/products/acusend.asp (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents

Subject:  Sec-Tec advisory 24.10.02 Unauthorised file acces in Acuma's Acusend





Possible illegal file access In Acuma's Acusend - 24th October 2002

Overview:

Acusend is a leading report portal product from Acuma (www.acuma.co.uk).
Acusend allows organisations to collect and collate information from a
diverse range of sources and present it via a uniform web interface. Acusend
is widely deployed in Government, Education and Aerospace industries.

During a penetration test of a client's network, Sec-Tec (www.sec-tec.co.uk)
has discovered that it is possible for an authenticated user to access
reports belonging to other users if the full URL to the report is known.
Although the full URLs may appear to be random, certain factors such as time
and date are sometimes used as part of the URL structure , thereby greatly
reducing entropy. Release of this information has been withheld awaiting a
corrected version
from Acuma.

Affected Versions:

Version 4, possibly previous (although not tested).

Recommended Action:

The vendor states that the issue is rectified in the latest version.

Released By:

David Wray, Sec-Tec Ltd (www.sec-tec.co.uk)

Thanks:

Sec-Tec would like to thank Acuma for their co-operation and swift response.



________________________________________________________________________
Sec-Tec Ltd, CLAS Government certified specialists in information security professional services. Visit http://www.sec-tec.co.uk for
 more information on our services. This e-mail has been scanned for possible virus contamination. However, we recommend that all recipients
 also scan this message.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC