Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Solved -flaws in e-business designer (eBD)
From: "Joxean Koret" <joxeanpity () gmail com>
Date: Tue, 20 Jun 2006 12:25:56 +0200

Thats not exactly true... because 2nd vulnerability says the following:

Input validation error that affects to:

v2.3.3 without authentication

and

v3.1.4 require admin access

That means that versions 2.3.3 have a remote vuln exploitable by everyone...
so you should admit the existence of the vulnerability since some of your
customers are still using that version (and they should upgrade)

And you never can affirm:

"The other mentioned vulnerabilities have no relation to eBD. System
Managers are in charge of configuring their servers in a secure way, whether
or not they are executing eBD ."

You should better say, something like:

"Some of the input validation errors are fixed in version 3.1.4, others that
require admin access to the application are not"

Anyways from a security related point of view... every input validation
error must be fixed, also in authenticated areas of the applications...

This kind of bugs, can be used to trick the real admin and create other
situations where an attacker could take advantage of the bug.

Talking about the 3rd commented bug... In every guide like "Building secure
web applications" says that is recommendable to force the autentication
throug SSL instead clear http ... that could be achieved by the sysadmin..
but is a good idea to check or force that from the application source.. (is
really easy to do!!)

Regards



On 6/20/06, Blanca Pons de Dalmases <bpons () oasyssoft com> wrote:

 Dear all,

*The second vulnerability*  - (2) Sql injection and path disclosure - says
that a user who is authenticated as a manager, can use SQL injection to
modify the data of the data base.
This could be consider as a *bug*, but *not as a vulnerability*, since ALL
the "manager users" have a tool in eBD called SQLManager, that allows
them to send querys against the data base with no need to use SQL Injection.
The "manager users" in eBD are "application developers", and they can create
tables, modify the data, etc…, they do not need to use SQL injection to
obtain this, so we can not consider this as a security vulnerability.

If you require further information, please contact us at
ebd.soporte () oasyssoft com
In spanish: "La segunda vulnerabilidad dice que un usuario que esta
autenticado como administrador, puede usar sql injection para modificar los
datos de la  base de datos. Esto podria considerarse un bug, pero no una
vulnerabilidad, ya que  TODOS los usuarios administradores tienen una
herramienta en eBD llamada  SQLManager, que les permite lanzar querys contra
la base de datos sin  necesidad de usar SQL Injection. Los usuarios
administradores en eBD son  desarrolladores de aplicaciones, y pueden crear
tablas, modificar los datos, etc..., no necesitan usar sql injection para
conseguir esto, con lo que no se puede considerar una vulnerabilidad de
seguridad."

 Blanca Pons
bpons () oasyssoft com
Dir. Marketing y Comunicación
e-business designer
 C/ Sardenya 56 Local
08005 Barcelona
Tel: 902 181 349
Fax: 932 217 303
www.oasyssoft.com
2655 Le Jeune Rd. Suite 517
Coral Gables, FL 33134 United States
Phone: +1(305) 448 2148
Fax: +1(305) 448 0097
www.ebdsoft.com

eBD es un producto Oasyssoft
Este mensaje (así como los archivos adjuntos o los links que contiene)
puede contener información privilegiada o confidencial. Si no es usted el
destinatario indicado, queda notificado de que la utilización, divulgación
y/o copia sin autorización está prohibida en virtud de la legislación
vigente. Si ha recibido este mensaje por error, le rogamos que nos lo
comunique inmediatamente por esta misma vía y proceda a su destrucción.

This email (and any attachments or hyperlinks within it) may contain
information that is confidential, legally privileged or otherwise protected
from disclosure. If you are not the intended recipient of this email, you
are not entitled to use, disclose, distribute, copy, print, disseminate or
rely on this email in any way. If you have received this email in error,
please notify the sender immediately by telephone or email and destroy it,
and all copies of it.

----- Original Message -----
*From:* Joxean Koret <joxeanpity () gmail com>
*To:* Blanca Pons de Dalmases <bpons () oasyssoft com> ;
full-disclosure () lists grok org uk
*Sent:* Friday, June 16, 2006 7:33 PM
*Subject:* Re: [Full-disclosure] Solved -Several flaws in e-business
designer (eBD)

The advisory talk about 3 vulnerabilities

1) File upload issues (related with your patch).

2) Sql injection and path disclosure.

3) Clear text autentication.

I can assume that sysadmin could force https by himself, but... really the
2nd vuln is not related with eBD?


On 6/16/06, Blanca Pons de Dalmases <bpons () oasyssoft com> wrote:
>
>   A Bug in the eBD HTML editor has been discovered. It will allow an
> user to modify the images of the /imgfiles folder (the files raised in the
> option resources > images).
>
> Oasyssoft, the producer, has installed the patch in all our servers, so
> all MyeBD users are updated since the end of may.
>
> Anyway, you will find here the emergency Patch instalation
> http://lists.oasyssoft.com/ebd-devel/200605/binNr7awTFdvt.bin  for
> being installed at your servers. Althought this patch is for version
> 3.1.4, it is also available in all eBD versions.
>
> The other mentioned vulnerabilities have no relation to eBD. System
> Managers are in charge of configuring their servers in a secure way,
> whether or not they are executing eBD .
>
> If you require further information, please contact us at
> ebd.soporte () oasyssoft com >
>  Blanca Pons
> bpons () oasyssoft com
> Dir. Marketing y Comunicación
> e-business designer
>  C/ Sardenya 56 Local
> 08005 Barcelona
> Tel: 902 181 349
> Fax: 932 217 303
> www.oasyssoft.com
> 2655 Le Jeune Rd. Suite 517
> Coral Gables, FL 33134 United States
> Phone: +1(305) 448 2148
> Fax: +1(305) 448 0097
> www.ebdsoft.com
>
> eBD es un producto Oasyssoft
> Este mensaje (así como los archivos adjuntos o los links que contiene)
> puede contener información privilegiada o confidencial. Si no es usted el
> destinatario indicado, queda notificado de que la utilización, divulgación
> y/o copia sin autorización está prohibida en virtud de la legislación
> vigente. Si ha recibido este mensaje por error, le rogamos que nos lo
> comunique inmediatamente por esta misma vía y proceda a su destrucción.
>
> This email (and any attachments or hyperlinks within it) may contain
> information that is confidential, legally privileged or otherwise protected
> from disclosure. If you are not the intended recipient of this email, you
> are not entitled to use, disclose, distribute, copy, print, disseminate or
> rely on this email in any way. If you have received this email in error,
> please notify the sender immediately by telephone or email and destroy it,
> and all copies of it.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]