last week we were sent a pentest executed by a security firm in behalf one of our customers with a set of security vulnerabilities, i’m not sure we can share the report openly (until most customers upgrade to 3.x) so i’ll resume the things found in this post.
- they only work on 2.x, we tested them on 3.x and they do not work, this is why we want more and more of you on 3.x
- they require an authenticated account, that means eramba from outside is still totally shielded
- You need deep deep technical skills to work around them (and an authenticated account)
When security issues are reported we classify them based on three groups:
- You were able to access to the system or specific functionalities (with write or read permissions) bypassing authentication and authorization controls (AUTH)
- You are able to affect the data integrity of the software (INTEGRITY)
- You are able to make the system unavailable to users (AVAILABILITY)
ref: FAQ | Eramba
A security bug MUST affect one (or more) of the the mentioned above, if its not the case for us is still a bug but one we dont consider priority, eventually it might be put into the backlog as part of major functionalities.
From the report we go the following do meet the requirements above, again, they only work with authenticated accounts:
|Relevant||Auth*||Integrity||Availabiltiy||Requires valid eramba account||Notes|
|SQL Injection||YES||Yes||Maybe?||No||Yes||Complicated to make it work, but doable if a very very very long time is available to exploit. Requires really high tech skills.|
|Missing Authorisation Controls (Horizontal)||YES||Yes||Yes||No||Yes||This basically breaks the visualisation rule in eramba by which a user can only see what relates to the user. High tech skills are required to bypass it but it is doable|
|Missing Authorisation Controls (Vertical)||YES||Yes||No||No||Yes||Some settings are visible if using direct links to any authenticated users. “While important administrative features (such as adding a new or deleting a user) were found only to be accessible to admin users as expected, XXXX found that other, less impactful yet still administrative functions, were available to normal users”|
Thank you again for reporting the issues!!