0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
URVE Software Build 24.03.2020 Information Disclosure Vulnerability
Author
Risk
[Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
URVE Software Build 24.03.2020 Information Disclosure Vulnerability
Product: URVE Software
Manufacturer: Eveo Sp. z o.o.
Affected Version(s): Build "24.03.2020"
Tested Version(s): Build "24.03.2020"
Vulnerability Type: Cleartext Storage of Sensitive Information
(CWE-312)
Exposure of Sensitive Information to an
Unauthorized Actor (CWE-200)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2020-11-10
Solution Date: 2020-11-18
Public Disclosure: 2020-12-23
CVE Reference: CVE-2020-29550
Authors of Advisory: Erik Steltzner, SySS GmbH
Christoph Ritter, SySS GmbH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
URVE is a system for reserving rooms which also provides a web interface
with event scheduler.
The manufacturer describes the product as follows (see [1] and [2]):
'Booking rooms on touchscreen and easy integration with MS Exchange,
Lotus, Office 365, Google Calendar and other systems.
Great looking schedules right at the door.
Fight conference room theft with our 10" touchscreen wall-mounted
panel.'
'Manage displays, edit playlists and HTML5 content easily.
Our server can be installed on any Windows and works smoothly from
web browser.'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
The password of the user account which is used for the connection of
the MS Office 365 Integration Service is stored as plaintext in
configuration files, as well as in the database.
The following files contain the password in plaintext:
Profiles/urve/files/sql_db.backup
Server/data/pg_wal/000000010000000A000000DD
Server/data/base/16384/18617
Server/data/base/17202/8708746
This causes the password to be displayed as plaintext in the HTML code.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
The path
/urve/roomsreservationimport/roomsreservationimport/update-HTML5?id=<id>
contains the tag with the cleartext password:
<input id="roomsreservationimport_password" [...] value="clearTextPassword">
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
The password should be stored as cryptographic hash value.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2020-10-28: Vulnerability discovered
2020-11-10: Vulnerability reported to manufacturer
2020-11-18: Patch released by manufacturer
2020-12-23: Public disclosure of vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product Website for URVE
https://urve.co.uk/system-rezerwacji-sal
[2] Product Website for URVE
https://urve.co.uk
[3] SySS Security Advisory SYSS-2020-042
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-042.txt
[4] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
# 0day.today [2024-07-04] #