mailing list archives
Sec-Tec advisory 24.10.02 Unauthorised file acces in Acuma's Acusend
From: "David Wray" <davew () sec-tec com>
Date: Fri, 25 Oct 2002 15:49:03 +0100
Possible illegal file access In Acuma's Acusend - 24th October 2002
Acusend is a leading report portal product from Acuma (www.acuma.co.uk).
Acusend allows organisations to collect and collate information from a
diverse range of sources and present it via a uniform web interface. Acusend
is widely deployed in Government, Education and Aerospace industries.
During a penetration test of a client's network, Sec-Tec (www.sec-tec.co.uk)
has discovered that it is possible for an authenticated user to access
reports belonging to other users if the full URL to the report is known.
Although the full URLs may appear to be random, certain factors such as time
and date are sometimes used as part of the URL structure , thereby greatly
reducing entropy. Release of this information has been withheld awaiting a
Version 4, possibly previous (although not tested).
The vendor states that the issue is rectified in the latest version.
David Wray, Sec-Tec Ltd (www.sec-tec.co.uk)
Sec-Tec would like to thank Acuma for their co-operation and swift response.
Sec-Tec Ltd, CLAS Government certified specialists in information security professional services. Visit
http://www.sec-tec.co.uk for more information on our services. This e-mail has been scanned for possible virus
contamination. However, we recommend that all recipients also scan this message.
- Sec-Tec advisory 24.10.02 Unauthorised file acces in Acuma's Acusend David Wray (Oct 25)