Article

Arxes Tolina User Disclosure via Application Function

A username disclosure vulnerability via one of the application functions in the arxes-tolina web application in version 3.0.0 allows authenticated users to see other users’ login usernames. By sending a HTTP Get Request to the API object “/*obfuscated*/process/XXXX/execution-protocol”, where XXXX is the contract number, the application discloses the usernames of those users that took part in the execution of this contract. Malicious users could use this information to try to gain access to user accounts with higher privileges. The vulnerability was reported as CVE-2019-19677.

Background

We discovered a security issue within the arxes-tolina web application in version 3.0.0, a software for credit risk rating of business parties. A malicious user could obtain usernames of users with higher privileges due to an information disclosing function. This information could be used for conducting further attacks against those users (e.g. password brute force).

Steps to Reproduce

By sending a HTTP GET request to the API object “/*obfuscated*/process/XXXX/execution-protocol”, where XXXX is the contract number, the application discloses the usernames of those users that took part in the execution of this contract.

Picture 1: HTTP GET request to the “execution-protocol” API object

Picture 2: HTTP response of the request to the “execution-protocol” API object

Root Cause

This issue exists due to disclosing the “userId” parameter in the HTTP response. In order to mitigate the issue, we recommend not including the “userId” parameter in the execution-protocol object response or exchanging the “userId” parameter with the name of the responsible person that took part in the contract execution.

Fix

The issue was reported to arxes-tolina but we are not aware whether a fix has been implemented.

Credit

Credit for finding and reporting the issue:

Evgeni Sabev (Deloitte)