nGenuity Information Services – Security Advisory

   Advisory ID: NGENUITY-2009-001
   Application: Open-Realty 2.5.5
        Vendor: Transparent Technologies,INC
Vendor website: http://www.transparent-tech.com/
        Author: Adam Baldwin (adam_baldwin@ngenuity-is.com)

  I. BACKGROUND
     "Open-Realty® is an open source web based real estate listing management
application. It is intended to be both easy to setup and use. Written
in PHP, Open-Realty® is designed to be a fast and flexible tool for
your real estate website" [1]

 II. DETAILS
     Multiple reflected cross-site (xss) scripting vulnerabilities exist within
Open-Realty v2.5.5. These are due to user input being echoed back to the user
unaltered or properly encoded.

Reflected:

http://www.example.com/openrealty/index.php?action=contact_agent&listing_id=XSS&popup=yes

http://www.example.com/openrealty/index.php?action=contact_agent&popup=yes&agent_id=XSS

http://www.example.com/openrealty/index.php?action=calculator&price=XSS&popup=y

1.27.2009 - Version 2.5.6 has been released and addresses this vulnerability.

III. REFERENCES
     [1] - http://www.open-realty.org/
Copyright (c) 2008 nGenuity Information Services, LLC

 IV. EDITS
1/18/2008 - Vendor notification "releasing a new version of Open-Realty 2.5.6 this week to fix the XSS reflection vulnerabilities..."
1/20/2008 - Removed persistent section of advisory. Informed by the vendor that "There is an option to strip HTML from the
listing and agent fields when agents post in the Open-Realty  configuration, under Editor/Html. If that is on any html posted in a "
field by an agent will be removed."
1/27/2009 - Added vendor fix information.

Everyone here at nGenuity is very thankful for the past successful year. We couldn’t have done it without the support of our friends, family, and loyal customers. Enjoy the holidays, the New Year is just around the corner.

If you can actually remember all of the places you signed up for accounts over the years and the unique passwords for those accounts you can stop reading this now.

All the rest of you still reading should know that passwords are an important part of keeping prying eyes from your data (and probably have just as hard of a time remembering passwords as I do.) Passwords are very similar to a combination for a safe. Know the right combination and it is easy to obtain the contents. If you don’t happen to know the combination you could try a whole bunch of combination in succession and eventually get the combination. The key word there is eventually. While there are other limiting factors such as frequency of guesses and other controls that I’m going to ignore for the sake of this introduction, passwords for the most part protect against time. The more complex, the more difficult it is to guess, the longer it should supposedly take to obtain the right one.

Make password management easy on yourself and get a password safe application like Password Gorilla. If you are wondering why you need one of these applications here is just a few reasons.

• Remembers your passwords for you (in an encrypted vault!)
• Passwords can be as complex and long as you want them to be.
• You have a convenient list of passwords so that when the New Year comes around you can change them, all of them.
• You can keep information, such as answers to “security questions” in the notes field. You don’t have to use answers like “What is the name of your first pet?  Max”  Instead make them just as complex as your passwords.
• Password Gorilla is cross-platform and works on Windows, OS X and Unix systems. No excuses here!

We all know you aren’t going to go to the gym like you need to, so why not pick a New Year resolution that is attainable, like caring about strong password management, one of the most basic principles in security.

The typical small/medium business (SMB) security process is a reactive process that typically represents something like the following.

1. Something breaks / data is accidentally deleted or goes missing / a computer is infected with malware  or the company website got hacked.
2. The SMB reacts. This typically requires one of the following; Fixing the problem, determining a creative work around or simply realizing nothing can be done so giving up (which might fall into the creative work around category). All of these cost the SMB time and/or money.

So how can the typical SMB reduce the need for costly reactions or be better prepared in the event they need to react to an incident? The simple answer is be proactive about their business related technology risks. Here are a few more detailed recommendations.

Reduce Ignorance to Technology Dependence:

Many SMB’s utilize technology to reduce costs and increase productivity, but many do not understand that with these benefits come some pretty serious risks. Do the following exercise to better understand your technology dependence. Essentially you are doing the reactive work ahead of time.

1. Walk through your businesses typical day outlining business processes such as ordering, payroll, payables, customer service, and sales.
2. Write down the pieces of technology that are required to make these business transactions happen.
3. Imagine what the day would be like should each one of those technology advantages be missing, unavailable, perform poorly, etc.
4. Write down any low-tech alternatives you may have (such as manual credit card transactions, using that really ugly and cumbersome imprinting machine, hey it works!)

This information will help you understand some of the major risks to critical business processes, sure you will miss some, but you will be better off than when you started.

Adopt Automated / Managed Systems:

Sure these come with their own set of risks, but automated systems implemented properly can save a SMB a lot of headaches and even prevent some incidents from happening. Here are a few examples;

• Offsite data backups
• Antivirus / Desktop firewalls centrally monitored and controlled to ensure updates are applied and network policies are enforced.
• Near real time integrity monitoring of company website
• Managed services for weekly/monthly/quarterly, proactive checkups of systems (let somebody else worry about it).

Do It Over Again:

Environments change and with that your plan should evolve. Consider reviewing the assessments, planning, and systems you have put in place over the course of the past year. Adjust them to fit your current business strategy. Remember technology should enable business and ignoring your technology based risks won’t make the risks go away and certain won’t make enabling your business any easier.

nGenuity Information Services – Security Advisory

 Application: Encompass Web PACS
      Vendor: AGFA Heartlab
      Author: Adam Baldwin (adam_baldwin@ngenuity-is.com)
      CVE-ID: (PENDING CERT NOTIFIED)

  I. BACKGROUND
     Heartlab Encompass Web PACS is a web application used to remotely access
     and manage echocardiogram patient data. To conform with HIPAA regulations
     access to this data should be password protected.

 II. DESCRIPTION
     Authentication to PACS patient information can be bypassed by navigating
     to the SessionStart.asp page. This page sets up an anonymous user session
     and gives access to all patient records. 

III. DETAILS
     Patient data and records are available by navigating to URL similar to

https://pacs.example.com/thinclient/SessionStart.asp

     no authentication is required.

 IV. VENDOR
     The vendor has been notified and there is a patch available to address this vulnerability.

Copyright (c) 2008 nGenuity Information Services, LLC