SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   JIWA Financials Vendors:   JIWA
JIWA Financials Lets Authenticated Users Execute Arbitrary Reports and Obtain Passwords
SecurityTracker Alert ID:  1016181
SecurityTracker URL:  http://securitytracker.com/id/1016181
CVE Reference:   CVE-2006-2718, CVE-2006-2719   (Links to External Site)
Updated:  Aug 18 2009
Original Entry Date:  May 30 2006
Impact:   Disclosure of authentication information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.4.14
Description:   A vulnerability was reported in JIWA Financials. An authenticated user can execute arbitrary reports. This can be exploited to obtain passwords.

An authenticated user can create a specially crafted report file and then run the report to execute arbitrary SQL commands, including SELECT, INSERT, UPDATE, DELETE SQL permissions.

The system stores passwords in plain text form within the database.

The user can obtain the passwords.

Robert Passlow reported this vulnerability.

Impact:   An authenticated user can execute SQL commands on the target system and can obtain user passwords.
Solution:   The vendor has issued a patch (available as of June 1 2006, 5:00 pm AEDT), available from the downloads area of the vendor's website.
Vendor URL:  www.jiwa.com.au/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (2000), Windows (2003), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  Jiwa Financials - Reporting allows execution of arbitrary reports

 

 

Date: 28/5/2006

 

Product: Jiwa Financials 6.4.14  - http://www.jiwa.com.au/

 

 

Vulnerability: Reporting allows execution of arbitrary reports as SQL user with full SELECT, INSERT, UPDATE, DELETE SQL permissions.

 

 

Product Background

---------------------

 

On execution Jiwa Financials authenticates users against a username/password database On a SQL server to access that users access
 level.

 

To do this it gets its SQL connection details from a .ini file located on the users Application Data folder called Jiwalog.ini

 

The contents of the file are as follows:

 

[Connections]

Count=01

Connection01=<DatasourceName>,Z:\maininifile.ini

 

[Parameters]

LastSQLLogin=jiwauser

LastUserName=<last user>

LastConnectionODBC=<DatasourceName>

 

 

Within maininifile.ini it sets out the users menu amongst other things ie.

 

' Menu Start
'===========
ShowGST= 0

 

[Modules]
Count=09
Module001=Inventory,1
Module002=Debtors,2
Module003=Contacts,8
Module004=Sales Order Entry,3
Module005=Creditors,7
Module006=Purchase Orders,5
Module007=General Ledger,4
Module008=Monthly Reports,2
Module009=System,6

 


Placing all modules on the main menu and just restricting access per module when one tries to access it.

 

 

 

Reporting

---------

 

When a user executes any menu option to run a report, it loads the report module which is standard across the board and passes

To the reporting module, the report object that was listed on the menu the user selected.

 


 

The full path and filename to the .rpt file is detailed on the screen in a textbox with a command button to the right of it that


ie.  The local My Documents for the evil user.

 

This is a feature apparently because it allows the users to specify different report file versions etc

 

 

Ok now for the issue

--------------------

 

 or anything else.

 

Create a blank crystal report file and point it at a Jiwa table called HR_Staff for example.

 

Create the report using a dummy database.

 


 

 have access to save the .rpt file to the network drive with the other reports nor would he want to because he may get caught that
 way so he either saves it to his USB drive and it appears as a locally available drive.

 

He goes into his sales order report to look up a customers previous quote or anything remotely using the reporting module - given

 

He then clicks the Command button to change the location of the .rpt file to his USB Drive ie. E:\Evil_Jiwa_RPT\Userlist.rpt

 


 

 FIRST NAME, SURNAME, POSITION IN THE COMPANY AND OTHER DETAILS.

 

 

What has actually happened

--------------------------

 

Because the Jiwa application passes the username/password/data source details directly to the .rpt file, it uses the same SQL user
 account that the rest of the application uses that has full SELECT, INSERT, UPDATE, DELETE AND EXECUTE rights.

An example of one of the standard stored proceedures in the Jiwa distribution allows you to drop the primary key from a table with
 the table name - these stored proceedures are executable from this reporting user.
 

Conclusion

----------


This applications technology leaves a lot to be desired.



In no way whatsoever is this application a three tier client server solution and that is something the company refuses to accept.

All usernames and passwords are TRANSMITTED in clear text to the local SQL Server ODBC driver from the application.

All usernames and passwords are STORED in clear text in the SQL Server Database in the table HR_Staff

Not even simple base64 encoding has been used.

There is no administrative control over users menu options.
 
Far too many variables are available and changeable on the user end outside the control of the network administrators.

There is no remote attempt to validate access to reports vs users seen in any previous revisions I have seen and 6.4.14 is current.


 

Company Response

----------------
 

 and debitors is a considerable risk to any company let alone one turning over millions of dollars per year.

Jiwa have promised to encrypt the passwords in the database in their next commercial release.

To quote his email on 28/5/06:

The vulnerability of walking up to any machine running Jiwa, pointing it to an "evil" report to cause malicious damage or reveal sensitive
 information will remain. 


Regards,

 
Robert Passlow

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC