[VIM] [OSVDB Mods] [Change Request] 23617: Kwik-Pay Payroll KwikPay.mdb Information Disclosure
steve at vitriol.net
Thu Feb 15 20:22:32 EST 2007
Kwik-Pay Support wrote:
> It's just that the kwikpay.mdb file contains fictitious demonstration data - not
> any sensitive employment or payment related data. It implies that a file that
> was never intended to be secured should be secured.
So, your objection is due to the inclusion of an actual filename? We're
all agreed that the contents of databases prior to version 4.2.22 were
trivially accessible to a local user?
> It only applies if the user themselves create their own payroll database in the
> installation directory. The software itself does not force any user payroll
> database to be created there - it is only created there if the user specifically
> requests it!
> I'd prefer if the whole report was removed as we believe that it was created by
> people who did not understand how the system worked, and did not even contact us
> to find out before they created the report!
If the databases are trivially accessible by local users, then the entry
will certainly stay. Most installations will follow the path of least
resistance, and unless the program requires an encrypted database, then
this is a legitimate concern.
> p.s. I had some correspondence with Brian yesterday. Is he always so offensive?
OSVDB is a volunteer effort, staffed by people whose only goal is to
provide a comprehensive, accurate database of reported computer and
network security vulnerabilities. Brian has been a key force in making
our database as complete and accurate as we can make it, with no
compensation and little recognition. I'm proud to work with him for an
equivalent amount of compensation and recognition.
So, when we are approached by someone, and the very first accusatory
words of his email are, "It has just been brought to our attention that
you have created this 'security problem' regarding our software," we
don't feel the need to mince words. The vulnerability was created by an
oversight in the development of the application, it was reported by
independent researchers, and then recorded in our database, as
accurately as we are able. We are happy to correct errors in the
database. We are not as happy to take ill-founded abuse as we do it.
I will update our description to remove the offending file name, as it
sounds like a more accurate description of the vulnerability.
More information about the VIM