Disclaimer: the results discussed below were found on a vanilla installation of Remedy 8.1. We deliberately chose an older version of the stack for this exploratory post.
Scapa has recently partnered with Appcheck NG, who provide a web vulnerability scanning platform. End user monitoring and load and performance testing have been our core activity for many years. Over time, these activities began to intersect with security issues. While we answered many questions around server and end-user performance, sometimes the security of the systems under test was taken for granted. Partnering with Appcheck NG and using their tools alongside Scapa now brings security concerns to light.
As a test exercise, we launched a Remedy 8.1 instance, with no customisations or tweaks, and ran a basic scan against it. For demonstration purposes, we ran over HTTP, not HTTPS. In any case, initial findings of the scan were not confined to SSL issues.
Key Findings
- Default Remedy 8.1 installation is vulnerable to reflected Cross Site Scripting (XSS)
- Freely accessible and browsable directories potentially containing sensitive information are available
Crosss Site Scripting
Cross Site Scripting vulnerabilities occur when data submitted to the application is not properly handled before being embedded within the application’s response or stored for later retrieval.
Reflected XSS vulnerabilities are typically exploited by embedding malicious script code within links to the application. The attacker would then attempt to coerce the user into following the maliciously crafted link via a social engineering attack such as a Phishing email.
Upon clicking the malicious link the embedded script code is inserted into the server’s response and executed within the user’s web browser.
XSS vulnerabilities could be exploited to read user session cookies and submit them to the attacker, inject JavaScript to log keystrokes or attack the user’s browser using browser exploits
Browsable Directories
It may be possible for an attacker to easily discover hidden content, scripts and configuration files by exploiting this vulnerability. While this can often just be an advisory warning, in this case, each directory that we found hosts at least one file with an extension that is synonymous with sensitive data, such as databases and configuration files, thus elevating the warning level.
Next Step
Contact Scapa to arrange an evaluation scan of your own Remedy installation, and to discuss remediation of any vulnerabilities found.