Unpatched vulnerability leaves organizations wide open to attacks

UPDATE (22/5) A MyBiz representative responded to our request for comment yesterday, stating: “These two vulnerabilities, file upload and cross-site scripting, have been addressed… and the system has been in production since. All clients who have since upgraded to [the latest version] do not face these vulnerabilities.”

Businesses using MyProcureNet, a procurement software product developed by MyBiz, have been urged to stop using the application, after researchers discovered a critical flaw that could enable attackers to gain access to internal company data.

MyProcureNet is a web-based application that enables organizations to create requests for proposals and tenders, evaluate and select vendors, and complete payments.

While the application aims to streamline the procurement process, researchers at SEC Consult Vulnerability Lab discovered that an attacker could leverage the flaw to upload malicious files to an organization’s webserver.

This vulnerability occurs because an attacker is able to adjust the HiddenFieldControlCustomWhiteListedExtensions parameter and add arbitrary extensions to the whitelist during the upload.

By way of example, the researchers explained that if the extension .asp is added to parameter (such as 'secctest.asp') the server accepts it as legitimate file.

“Depending on the rights of the webserver used, it is possible to gain access to internal data, such as passwords from configuration files,” Johannes Greil, head of SEC Consult Vulnerability Lab, told The Daily Swig.

“Privilege escalation attacks are possible as well if the operating systems are not fully patched, which makes attacking further internal/DMZ systems even easier.”

In addition to the arbitrary file upload vulnerability, the researchers also found a reflected cross-site scripting flaw within MyProcureNet, which could allow an attacker to inject malicious client-side scripting.

Although the identified vulnerabilities can only be exploited after user authentication, the researchers noted that registration on the MyProcureNet platform is usually open for anyone.

Based in Malaysia, MyBiz provides business software solutions to organizations across numerous sectors, including banking and insurance, oil and gas, healthcare, property, and telecommunications.

After discovering the flaws earlier this year, SEC Consult reached out to the vendor back in February, but is still yet to receive a reply.

“Currently, we would not recommend using the product until an in-depth review has
been performed, as such critical issues could be identified in a very limited timeframe,” said Greil.

“MyProcureNet version 5.0.0 has been tested and found to be vulnerable. This was the latest version available at the time of the test. It is assumed that MyBiz products are affected by further critical security issues.”

Organizations that rely on this software may be able to mitigate the impact of these vulnerabilities by reconfiguring their webserver.