Skip to content

Instantly share code, notes, and snippets.

@ari
Last active June 25, 2017 23:49
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ari/e0dd74c12d84f102e3bcb365118e8c30 to your computer and use it in GitHub Desktop.
Save ari/e0dd74c12d84f102e3bcb365118e8c30 to your computer and use it in GitHub Desktop.
CVE-2017-9615
[Suggested description]
Password exposure in Cognito Software Moneyworks 8.0.3 ( http://cognito.co.nz/ ) and earlier allows
attackers to gain administrator access to all data, because verbose logging writes the administrator password to a world-readable file.
------------------------------------------
[Additional Information]
1. Original issue discovered and notified to the vendor: 6 June 2017
2. Vendor response acknowledging issue: 6 June 2017
3. Vendor second response confirming they do not plan on fixing the issue: 12 June 2017
4. I've confirmed again with the developer that they don't intend to fix this bug in the short term: 23 June 2017
------------------------------------------
[VulnerabilityType Other]
Password exposure in logs
------------------------------------------
[Vendor of Product]
Cognito Software
------------------------------------------
[Affected Product Code Base]
Moneyworks - All versions up to 8.0.3
------------------------------------------
[Affected Component]
Moneyworks executable
------------------------------------------
[Attack Type]
Local
------------------------------------------
[Impact Escalation of Privileges]
true
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
When logs are set to verbose, administrator passwords are logged to world readable files.
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Aristedes Maniatis
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment