TITLE: Jiwa Financials Information Disclosure Vulnerability SECUNIA ADVISORY ID: SA20342 VERIFY ADVISORY: http://secunia.com/advisories/20342/ CRITICAL: Less critical IMPACT: Exposure of sensitive information WHERE: >From local network SOFTWARE: Jiwa Financials 6.x http://secunia.com/product/10220/ DESCRIPTION: Robert Passlow has reported a vulnerability in Jiwa Financials, which can be exploited by malicious users to disclose potentially sensitive information. The vulnerability is caused due to the application not properly restricting the Crystal Report files that are accessible by an authenticated user. This can be exploited to disclose information in reports that are not intended for the current user. Successful exploitation allows disclosure of information from the Jiwa database (e.g. user's credentials for the Jiwa application). The vulnerability has been reported in version 6.4.14. Other versions may also be affected. SOLUTION: The vendor recommends controlling access privileges on the file system to ensure that the user cannot select reports other than the designated reports for that user. PROVIDED AND/OR DISCOVERED BY: Robert Passlow ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2006-May/046398.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------