Re: Multiple vulnerabilities in TietoEnator's Procapita school administration system, at least version
- From: Juha-Matti Laurio <juha-matti.laurio@xxxxxxxx>
- Date: Sun, 6 Jul 2008 23:10:46 +0300 (EEST)
The vendor Nextime Solutions has informed about the release of upcoming bugfix version this week.
The company VP has stated that the test process of fixed version is started and a fixed version will be delivered to customers before a new academic term.
TietoEnator sold its education business in Finland to Nextime Solutions Oy on 1st Jan 2008.
Vendor's response and information about the bugfix timeline was covered in local IT news (in Finnish):
Product: Procapita (school administration system)
Vendor: TietoEnator Abp
Vulnerable versions: unknown
Found: months ago
The program also contains other SQL injection vulnerabilities in text fields etc. accessible after login - especially ones that are used to search for information, which may allow compromise of sensitive personal information in the database via injection to a SELECT query.
The program prints exception handlers to the browser, including Oracle database error strings.
The session cookie lacks the 'secure' flag, and if a logged-in user clicks a link with the http: scheme (such links exist in the school district's web pages) the cookie will be sent in plain text.
The session cookie is not tied to the visitor's IP address.
The program gives the user no way of changing the password or disabling the login. The un-changeable password generated by the system is alphanumeric and only six characters.
The versioning of the program is so vague (the pages have either no version information at all or conflicting information) that it is impossible to say which versions are vulnerable, especially since I have no access to multiple installations, any docs or source.
The vulnerabilities have been reported to the vendor when they were found.
Exploits: None known
Fix: Modify code to properly sanitize user input server side.