Security Issues
Hi there !
I'm evaluating SupportCenter software for my enterprise, and I have been checking some security issues in the product, like role definitions and permissions associated to these roles. And I've found two details I'd like to discuss with you, because I believe it's not a setup problem.
Try logging in as an administrator, and copy the URL for an Account Edition, eg.
http://192.168.2.25:8081/CustomerDef.do?mode=edit&id=301
Now log in as an account contact, and paste the URL in the browser
hey ! you can edit all the data from the account ... and if you change the id you can find out all the details from the other accounts and change them too ...
Ok, let's try also with Account contacts; the URL would be something like
http://192.168.2.25:8081/CustomerDef.do?mode=edit&id=301
Yes, you can change your own details, but also details from another contacts in other accounts ! Even Support Reps !
May I be able to change the password for a Support Rep or a Contact? Let's check ...
http://192.168.2.25:8081/changePwd.do?accountID=304
Well, I can access the contact name, but no change is possible, but only because I don't know the old password ... it's not closed to a brute force attack !
mmm ...support reps management if logged as an account contact?
http://192.168.2.25:8081/TechnicianDef.do?mode=edit&id=9&; shows a " You are not authorized to view this page" message
support reps management if logged as a support rep but withouth permissions in the role ?
Same result, http://192.168.2.25:8081/TechnicianDef.do?mode=edit&id=9&; shows a " You are not authorized to view this page" message
Waiting for your comments ... are these issues solved in version 6 of the product ? When is it going to be released ? I cannot get this product into real production until this issues have been solved!
I'm evaluating SupportCenter software for my enterprise, and I have been checking some security issues in the product, like role definitions and permissions associated to these roles. And I've found two details I'd like to discuss with you, because I believe it's not a setup problem.
Try logging in as an administrator, and copy the URL for an Account Edition, eg.
http://192.168.2.25:8081/CustomerDef.do?mode=edit&id=301
Now log in as an account contact, and paste the URL in the browser
hey ! you can edit all the data from the account ... and if you change the id you can find out all the details from the other accounts and change them too ...
Ok, let's try also with Account contacts; the URL would be something like
http://192.168.2.25:8081/CustomerDef.do?mode=edit&id=301
Yes, you can change your own details, but also details from another contacts in other accounts ! Even Support Reps !
May I be able to change the password for a Support Rep or a Contact? Let's check ...
http://192.168.2.25:8081/changePwd.do?accountID=304
Well, I can access the contact name, but no change is possible, but only because I don't know the old password ... it's not closed to a brute force attack !
mmm ...support reps management if logged as an account contact?
http://192.168.2.25:8081/TechnicianDef.do?mode=edit&id=9&; shows a " You are not authorized to view this page" message
support reps management if logged as a support rep but withouth permissions in the role ?
Same result, http://192.168.2.25:8081/TechnicianDef.do?mode=edit&id=9&; shows a " You are not authorized to view this page" message
Waiting for your comments ... are these issues solved in version 6 of the product ? When is it going to be released ? I cannot get this product into real production until this issues have been solved!