Vulnerablity Type / Importance: Privilege Escalation / High
Problem discovered: November 25th 2005
Vendor contacted: November 25th 2005
Advisory published: December 20th 2005
Abstract:
Utraapps Issue Manager is a freely available web-based business application for tracking issues and tasks during software development or other projects involving teams of people. The service is vulnerable to a privilege escalation attack that would enable a standard user to log into the application as an administrator.
Description:
The vulnerability enables a low privileged user to modify the password of the administrator account and therefore escalate privileges. The details of the vulnerability are shown below.
In the test configuration there are 2 users:
admin/admin
guest/guest
Log on as a guest and visit the "My profile" link:
http://xxx.xxx.xxx.xxx/UserProfile.aspx
Intercept the request using a web proxy and change the field 'p_User_user_id' and 'User_user_id' from 2 (which is the guest id) to 1 (which is the administrator id)
Also, modify the password in the 'User_pass' field.
The user can now log into the admin account with the new password.
The vulnerability is located in the file UserProfile.cs, lines 273-275
if (p_User_user_id.Value.Length > 0) {
sWhere = sWhere + "user_id=" + CCUtility.ToSQL(p_User_user_id.Value, CCUtility.FIELD_TYPE_Number);
Tested Versions:
Ultraapps Issue Manager V2.1
Tested Operating Systems:
Microsoft Windows 2000
Vendor & Patch Information:
Contact was initially made via email on November 25th 2005. However, no response was received. A bug report was then submitted to the Ultraapps website on December 13th 2005. On December 20th, a patch for the issue was published on the site (http://www.ultraapps.com)
Workarounds:
IRM is not aware of any workarounds for this issue.
Credits:
Research & Advisory: R Marcos and A Davis
Disclaimer:
All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information.