Security of admin passwords

For the discussion of issues affecting the day to day running of all MoneyWorks products.
Forum rules
This forum is not the official Cognito Software support channel for MoneyWorks. If you need help from Cognito, then please contact us (or your local regional support representative) directly using the contact information on the Support page of the web site.

Please try the search facility before posting a new topic to see if your topic has already been covered.

If you do post a new topic, it's a good idea to choose a Topic Subject that it a bit more informative than "Help!" or "A problem". If your topic is actually recognisable by people scanning the forum, you'll have a much better chance of getting a response. Thanks and have fun.
ari
Posts: 36
Joined: 15 Jan 2009 22:41
Location: Sydney, Australia
Contact:

Security of admin passwords

Postby ari » 26 Jun 2017 12:07

Password exposure in Cognito Software Moneyworks 8.0.3 and earlier allows attackers to gain administrator access to all data, because verbose logging writes the administrator password to a world-readable file.

Affected versions: Moneyworks - All versions up to 8.0.3

What does this mean to you? If you turn on verbose logging in Moneyworks Datacentre, the admin and web passwords are logged in cleartext to the log files. If your server computer is tightly controlled and users don't have access of any sort to it, then you should be fine. Otherwise, if that server is used for other purposes and users have access to it for any reason, they may also be able to access the log files and discover those passwords.

In my case, that server is used as a Jenkins slave and therefore users have read rights to world readable files across the system. Use of the server as a file share, web server, etc may also expose those files depending on your specific setup.

How to avoid the problem

Don't turn on verbose logging, or if you do, immediately delete all log files and empty the trash. There are no other workarounds I know of.

A CVE has been created: https://gist.github.com/ari/e0dd74c12d8 ... 65118e8c30

User avatar
rowan
Posts: 644
Joined: 23 Apr 2004 15:17
Region: New Zealand
Location: Wanaka
Contact:

Re: Security of admin passwords

Postby rowan » 29 Jun 2017 15:14

Yep. Don't turn on Verbose Logging unless you have a very good reason to do so.

It is worth being aware that someone who has admin rights on the server _can_ do so though.

ari
Posts: 36
Joined: 15 Jan 2009 22:41
Location: Sydney, Australia
Contact:

Re: Security of admin passwords

Postby ari » 30 Jun 2017 14:25

Yes, good point. That means that any user with admin rights to the Moneyworks Server preferences can escalate their permissions by turning on verbose logging and thereby gain access to all the data in any Moneyworks data file.

The CVE was published: https://nvd.nist.gov/vuln/detail/CVE-2017-9615


Return to “General MoneyWorks”

Who is online

Users browsing this forum: No registered users and 5 guests