EISI Security Response Team
NaviPlan Security Bulletin
NPSB-2008-08-06-01
Published: August 6, 2008
Summary
A code review revealed that NaviPlan Standard and NaviPlan Extended are at risk to a file path manipulation vulnerability. Certain files installed with NaviPlan could potentially be exploited.
Severity
Moderate - Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.
Recommendation
The vulnerability was removed from NaviPlan Central. No action is required by customers who access NaviPlan Standard and NaviPlan Extended via this hosted format.
Customers who have deployed NaviPlan Standard and/or NaviPlan Extended in their corporate environment are at risk with this vulnerability. EISI recommends applying the provided security patch.
Impact Assessment
Analysis of the NaviPlan Central site logs indicate that the vulnerability was not exploited.
Exploitations of this vulnerability can be detected by analyzing web server access logs. Customers may contact their EISI Relationship Manager for details.
Vulnerability Details
Installations of NaviPlan Standard and NaviPlan Extended contain a vulnerability to filename tampering. Certain requests in NaviPlan allow an authenticated user to retrieve a file stored in the user’s temporary session storage. By including path traversal characters such as “../” in the requested filename, the user may be able to retrieve files outside of their session storage. In this type of attack, a user could retrieve confidential application configuration files or temporary session files for another session. This vulnerability is mitigated by the fact that it can only be employed by an authenticated NaviPlan user, and the exact filename must be known. Temporary session files are generated with random filenames, making them difficult to guess. Additionally, temporary session files are typically only stored on disk for a few seconds.
