what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Readsoft Invoice Processing / Process Director XSS / Design Issues

Readsoft Invoice Processing / Process Director XSS / Design Issues
Posted Aug 6, 2014
Authored by Johannes Greil | Site sec-consult.com

Readsoft Invoice Processing version 5.6 and Process Director version 7.2 suffers from cross site scripting and design vulnerabilities.

tags | advisory, vulnerability, xss
SHA-256 | 58bf606761fd0cbf2446293ded7d4bf6daba9b1265483f987c814d44bf97c023

Readsoft Invoice Processing / Process Director XSS / Design Issues

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SEC Consult Vulnerability Lab Security Advisory < 20140805-0 >
=======================================================================
title: Multiple vulnerabilities
product: Readsoft Invoice Processing / Process Director
vulnerable version: Invoice Servicepack 5.6, Process Director 7.2
fixed version: -
impact: Critical
homepage: http://www.readsoft.com
found: 2014-02-27
by: J. Greil, M. Hofer, B. Kopp
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor/product description:
- ---------------------------
"ReadSoft has been a pioneer in P2P invoice automation since the 1990s, when
the company first brought free-form technology for invoice processing to
market. Today, ReadSoft continues to be a global leader in business document
process automation, with 2,500+ accounts payable solution applications
worldwide - more than double the total applications of all major competitors
put together."

URL: http://www.readsoft.com/about-us/who-we-are


Business recommendation:
- ------------------------
Vulnerabilities have been identified that are based on severe design flaws in
the application. It is highly recommended by SEC Consult not to use this
software until a thorough security review has been performed by security
professionals and all identified issues have been resolved.


Vulnerability overview/description:
- -----------------------------------
1) Reflected & stored Cross-Site Scripting
An unauthenticated user is able to perform Cross-Site Scripting attacks e.g.
create relogin Trojan Horses or steal session cookies in the context of the
affected web application "Process Director". Over 120 XSS issues have been
identified and it is assumed that many more exist.

Attackers are able to take over other user accounts and potentially gain
access to invoice data or other sensitive data.


2) Critical design issues
The Readsoft Invoice Processing software e.g. contains the tools / software
products "Manager", "Verify" or "Optimize". Those programs are usually
stored/installed locally on the user's system. They contain configuration
files that point to the global configuration which is stored on a file server
in a multi-user environment and accessed via network shares.

The software then reads this global configuration file which contains user
accounts and passwords (some of them in cleartext!) for other integrated
systems such as SAP or database connections.
The client program also connects to the database with a high-privileged user
and access rights are managed locally on the client!

All users of the software suite must be able to access this network share with
full access rights (read/write) in order for the program to work properly.

Therefore, attackers can not only gain access to sensitive data such as passwords in
cleartext (SAP backend connection, database), scanned invoices, log &
licensing files etc. but potentially manipulate configuration files /
invoices or replace existing executables with malicious code.


Proof of concept:
- -----------------
1) Reflected & stored Cross-Site Scripting

The following URLs are only an example of vulnerable functionality which can
be exploited without authentication. Over 120 different issues have been
identified during the crash test:

[ Proof of concept details removed as no patch is available ]


2) Critical design issues
The file "..." contains configuration parameters for the SAP and also database
backend connections.

The SAP password is stored in cleartext. The database password is encrypted
which can easily be retrieved by using a debugger (method [...] in [...].dll).
Anti-debugging mechanisms can be circumented by patching the application.

The database user needs full access rights to the database as the rights
management is done on the client. The user account information is stored in
the table "[...]".


Vulnerable / tested versions:
- -----------------------------
The vulnerability has been verified to exist in Invoice Servicepack 5.6 &
Process Director 7.2, which was the most recent version at the time of
discovery.


Vendor contact timeline:
- ------------------------
2014-06-03: Requesting security contact via online contact form (no security
contact or other suitable email addresses found online)
2014-06-06: (no reply) Sending email to info@, info-de@ and CTO of Readsoft
Attaching responsible disclosure policy & encryption keys
2014-06-12: Asking again for a security contact
2014-06-12: Vendor provides PGP key
2014-06-13: Sending encrypted advisory
2014-06-13: Vendor: will come back with further info
2014-06-24: Asking for status update
2014-07-02: Asking again for the status update, reminder regarding planned
advisory release date
2014-07-09: Answer from vendor that draft response is created, will send
approved version as soon as it's ready
2014-08-05: SEC Consult releases security advisory


Solution:
- ---------
The vendor did not provide any patch information.


Workaround:
- -----------
No workaround available.


Advisory URL:
- -------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF J. Greil / @2014

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJT4IzQAAoJECyFJyAEdlkK/vcH/3u4nIke9Mm6Oqntf01sCFer
V2cGP1VujKfrKq2xE0tfCywHVBPS++A0RQAcdkdWhqmUvbhdsHEplr51WQhuNefW
9z7ety8grITR7vfsZhYM4pgLIt2GD0Wby0V9Wu8LzjgD4Fty9k5gvrEupqMsK0eN
GOMa9cjciUrjnEwy7EqSKgv8eJttDdS1ncbKWI8Bkhi3htc/i2iLpiBXYBgR8RuW
xqHVtU2xHMkwb8Nrso1fAmqv3H/YLd0rodFXsF7cK6453FiuWNs40apANPt1naJy
v6cZczfWSk0EYF6RgPCKeVyJU2YKSnWDwGYESfx4Gaf8Kn180gjRHTYsDUM7R4o=
=1HyM
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close