Security Advisory 06 – 004 – P-Synch permits GET or POST requests
M-Tech P-Synch Password Management Software
Vulnerability discovery and development:
Portcullis Security Testing Services discovered this vulnerability.
The vulnerability was found and verified against a system running on a windows 2000 platform.
It was observed that the application will accept either GET or POST methods.
By accepting GET methods the application makes an attack by a malicious user more trivial to perform where the attacker has a limited toolset with which to subvert it.
By design, the tested application makes POST requests to relay information between client and server. To modify these communications, the Test Team relied on the use of a HTTP proxy server running locally on their workstations. By using the GET method, the attacker would be able to freely modify the requests using only their HTTP browser application.
In a restricted environment, it may not be possible for the attacker to install arbitrary tools on their workstation, so the ability to make GET requests makes the job of the attacker considerably easier.
Notified via email 17 February 2006
M-Tech does not consider this to be a real security problem. At most, it enables would-be intruders to attack P-Synch with slightly more convenience. Attackers can reformulate HTTP POST requests just as well as they can reformulate HTTP GET requests, with nothing more than a text editor and Telnet client. Moreover, even in restricted environments, an attacker can just bring his own laptop into work, set its MAC address to match that of his normal workstation, and use whatever tools he wants to attack the network. Finally, an attacker that already controls a workstation (e.g., an “insider”) can always compromise the local administrator credentials and install a keylogger or other malware. An organization that really wants to prevent HTTP GET requests into P-Synch can do so quite easily by placing it behind a filtering reverse web proxy (e.g., Apache). This is a normal configuration for Extranet facing deployments, for example.