Tried, Tested and Proven

Security Advisory 06 – 003 – P-Synch permits reduced authentication complexity in Forgotton Password mechanism

Vulnerable System:

M-Tech P-Synch Password Management Software



Other versions:


Vulnerability discovery and development:

Portcullis Security Testing Services discovered this vulnerability.

Affected Systems:

The vulnerability was found and verified against a system running on a Windows 2000 platform.


It was noted that, in addition to the application failing to check that the supplied POST request corresponds to the questions presented to the user, it was possible to supply three instances of the same question and answer pair. Assuming that the presented answer is correct, the application authenticates the user successfully.

An example POST is detailed below:

POST /nph-psf.exe HTTP/1.1


Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.7) Gecko/20050420 Firefox/1.0.6

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive


Content-Type: application/x-www-form-urlencoded

Content-Length: 259


In conjunction with the discovery that the app fails to track which questions have been asked, it is possible for a malicious user who knows the answer to only one of the security questions associated with the target user to authenticate to the P-synch application and modify the target users’ domain password.


None required

Vendor Status:

Notified via email 17 February 2006


Copyright © Portcullis Computer Security Limited 2006, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information.
It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.


The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.