Forum OpenACS Q&A: ]project-open[ Security Advisory: Default Session Config (Serious)

Overview:

The ]project-open[ team has identified a vulnerability in ]project-open[ that allows attackers to shortcut the login process with information gained from other ]po[ instances.

Vulnerability Details:

The vulnerability consists of a weak configuration in the "preconfigured" demo system of the V3.1.2 installer. Your system is not affected if you have installed your server "from scratch".

We are going to disclose full information about the vulnerability in about 4 weeks, when we can be sure that most production systems have been updated.

Systems Affected:

- Affected are all systems that have been installed using the V3.1.2 installer.
- The misconfiguration persists after an upgrade to V3.1.4 or V3.2.

Impact:

The misconfiguration allows attackers to gain access to any account on the affected systems.

Solution:

- Please open a PostgreSQL command session (pgAdminIII or "psql") and enter the following commands:
delete from secret_tokens;
select pg_catalog.setval('t_sec_security_token_id_seq', 1, true);
- Restart your server

It is safe to execute this sequence on any V3.x ]project-open[ system. However, please backup your data before executing the commands.

Credits:

Thanks to Simon De Baene of GSoft Group Inc. for reporting the issue.

Contact:

For additional questions please use our SourceForge forum at: https://sourceforge.net/forum/forum.php?forum_id=618818

Vendor Information:

]project-open[ (http://www.project-open.com/) is a project management and PSA (Professional Services Automatization) system for companies in the consulting, engineering, advertising and localization industries. It covers the entire project life cycle from sales (CRM-light), staffing, execution (timesheet, controlling, incidents, discussions, and file storage) to invoicing and payment. The P/O architecture is designed for mission-critical applications with a rock-solid infrastructure and a sophisticated role-based permission system.