Summary

The Password station interface does not disable user search functionality, instead it hides the icon allowing unauthenticated users to grab a list of all users able to reset their passwords and any other information stored along with this in AD, it is also possible to veiw the ldap search path.

The developer was notified on the 29/11/14, after initial contact Avatier were "Unable to replicate the issues", due to lack of access to a later version of the software to test the user disclosure and LDAP disclosure may have been fixed in version 9.

Classification / Timeline

Classification:

Type Missing Functional Level Access Control
OWASP Top 10 MFLAC
CWE 935
CVSS Score 5.0 Base
CV/E-Number Non Assigned :(

Timeline:

Vendor Notified 24-11-2014
Vendor Patch Unknown
Publicly Published 26-04-2015
Last Updated 26-04-2015

Details

Unauthenticated remote users are able to force a request to search for all users behind the password station application by crafting a get request to the following URL (replacing XXXAD with the remote AD) with a example URL using the live demo system Below:

Loading.aspx?Ctl=editUserID&attr=samAccountName&attrdisp=SAM%20Account%20Name&sysid=XXXAD&mode=query&objtype=undefined&adgrpmode=0&searchText=

http://livedemo.passwordstation.net/Loading.aspx?Ctl=editUserID&attr=samAccountName&attrdisp=SAM%20Account%20Name&sysid=LIVEDEMO&mode=query&objtype=undefined&adgrpmode=0&searchText=

An incorrect AD name leads to an error “Searches are not currently supported for this directory service type or system is down.”, a correct AD name points to a user list.

If you are unsure of the AD name in use you can retrieve it from the following URL with an example using the live demo below (however many applications seem to be found under aims/ps)

ps/PB70ChangePassword.aspx

http://livedemo.passwordstation.net/ps/PB70ChangePassword.aspx

Classification / Timeline

Classification:

Type Information Disclosure
OWASP Top 10 MFLAC
CWE 200
CVSS Score 5.0 Base (Seems a bit high)
CV/E-Number Non Assigned :(

Timeline:

Vendor Notified 24-11-2014
Vendor Patch Unknown
Publicly Published 26-04-2015
Last Updated 26-04-2015

Details

Unauthenticated remote users are able to force a request to search for the OU groups and Ldap Paths behind the password station application by crafting a get request to the following URL (replacing XXXAD with the remote AD) with a example URL using the live demo system Below:

oupicker.aspx?OuCtlDisplay=2&OuCtlDN=2&domain=XXXAD

http://livedemo.passwordstation.net/oupicker.aspx?OuCtlDisplay=2&OuCtlDN=2&domain=LIVEDEMO

Due to the presence of these two exposed functions it suggests that there may be more functions where directly called could output sensitive information. If any readers use the Password station program and would allow me to have a poke to see what else I can find it would be much appreciated!