Home page logo

bugtraq logo Bugtraq mailing list archives

Multiple Vulnerabilities In P-Synch Password Management
From: JeiAr <jeiar () kmfms com>
Date: 29 May 2003 05:26:21 -0000

Multiple Vulnerabilities In P-Synch Password Management
The other night I came across a server running P-Synch. 
I had never heard of it so i was curious to poke around 
on it a bit. Within an hour i found the vulns listed below. 
Im pretty sure there are other more serious vulns in 
P-Synch, but they are very picky about who they give thier
software to, even an evaluation version. So was not able
to test any further. However i encourage any admins running
P-Synch to poke around on it, just to be on the safe side.

P-Synch Total Password Management Solution  
P-Synch is a total password management solution. It is 
intended to reduce the cost of ownership of password systems, 
and simultaneously improve the security of password protected 
systems. This is done through: -Password Synchronization. 
-Enforcing an enterprise wide password strength policy. 
-Allowing authenticated users to reset their own forgotten 
passwords and enable their locked out accounts. -Streamlining 
help desk call resolution for password resets. P-Synch is 
available for both internal use, on the corporate Intranet, 
as well as for the Internet deployment in B2B and B2C 


All of these problems are simple, self explanatory vulns
so, i'm sure the below examples will speak for themselves.
Once again this application was NOT thoroughly researced.
So anyone with a copy of P-Synch might wanna explore it

Path Disclosure Vulnerability

Code Injection Vulnerability
https://path/to/psynch/nph-psf.exe?css=";>[VBScript, JScript etc]
https://path/to/psynch/nph-psa.exe?css=";>[VBScript, JScript etc]

File Include Vulnerability

All credits go to JeiAr of GulfTech Computers and CSA 
Security Research http://www.gulftech.org

  By Date           By Thread  

Current thread:
  • Multiple Vulnerabilities In P-Synch Password Management JeiAr (May 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]