Studiometry – Database Information Disclosure to Unauthenticated Users

Description

Studiometry is a project and client management tool that is directed at small business. The tool comes in several forms with both a Windows and Mac OSX implementation. Additionally, cloud services are provided as well as an iOS mobile application. The Windows version of the application was tested but the advisory could affect the iOS and Mac OSX implementations. The configuration was that of a self-administered Studiometry server that a small business would be likely to use.

It was discovered that an unauthenticated user could connect to the Studiometry server and collect information sent from clients to the server. It appears as if the application broadcasts updates to the server’s database from clients to the rest of the connected clients. This is done so that each client can update its own database. The server did not verify that a connected user was authenticated.

Impact

An attacker could connect to the server using a simple Netcat connection and collect sensitive application information, such as client details, users’ credentials, etc. The attacker could then use this information to steal client contact information or login into the application with stolen credentials.

Cause

The application does not properly verify that a connected client has successfully authenticated to the server.

Solution

Update to Studiometry 12.6.1.

Technical Details

Please refer to the attached advisory above.

Further Information

http://oranged.net/studiometry/versionhistory/

2016-07-11	Issue reported to vendor
2016-07.-11	Response received from vendor
2016-07-12	Vendor provided beta with patches for testing. Vulnerability verified as fixed in beta.
2016-07-14	Vendor notified MWR that an official patch would be released 2016-07-25.
2016-07-25	Oranged Software released official patched version 12.6.1 of Studiometry