mailing list archives
Authentication flaw in APS-Soft DTE Axiom (CVE-2012-2455)
From: Tomas Rzepka <tomas () certezza net>
Date: Thu, 6 Sep 2012 16:55:44 +0200
Release date: 2012-09-06
Discovered by: Tomas Rzepka, Certezza AB, http://www.certezza.net
Vendor: Advanced Productivity Software (http://www.aps-soft.com)
Versions Affected: Versions prior 12.3.3
CVSS Base Score: 8.5 (AV:N/AC:L/Au:N/C:C/I:P/A:N)
In a penetration test we discovered a security flaw in DTE Axiom Mobile Solution.
The security vulnerability can cause customers loss of sensitive data, such as usernames, customer relations and
Advanced Productivity Software DTE Axiom has a server application that can be published on the Internet to give users
of iPhone/iPad and Black Berry access to the time tracking system. User is deployed by enabling the feature on each
user in the backend administration. The user gets an e-mail from the system which contains two links. One link to
download the application (from Apple AppStore). The other link is to feed the smart phone application with
configuration such as server address, username, database and registration ID (GUID). The application communicates with
the server over HTTPS.
Although the application has a registration ID to identify each device it is never used. By posting applicable HTTP
parameters to the application server, anyone with knowledge how the application works can extract and alter information
about users, customers, projects, etc., without being authenticated to the server. We only had access to an iPhone/iPad
device so we could not test the Black Berry functionality and it does not use the same API. The security issue does not
exist in the Black Berry API according to the vendor.
Vendor has released a new version (12.3.3) which fixes this specific issue.
2012-05-07: Vendor disclosures
2012-05-07: Vendor response
2012-09-04: Fix released
2012-09-06: Public disclosure
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Authentication flaw in APS-Soft DTE Axiom (CVE-2012-2455) Tomas Rzepka (Sep 08)