SIK-2016-015


Title:

Heag Mobile Backend Manpulation Vulnerability

Report ID:

SIK-2016-015

Summary:

  • Vendor: GeoMobile GmbH
  • Product: HEAG mobilo
  • Affected Version: 2.4.45
  • Severity: High
  • Short summary:

The backend database (CouchDB) for the HEAG Mobilo app has an openly accessible management Interface. The account used in the app can change his password there, effectively breaking the access from the app.

Details

The CouchDB database used by the HEAG mobilo app has an openly accessible management interface at http://couchdata.busaccess.de:5984/_utils/. An attacker can log in using the credentials from the app (user name „**REMOVED**“, password „**REMOVED**“). Using the management interface, the attacker can then change the password for this account. This effectively blocks out all access from the app that relies on this account to work.

Note that we describe this vulnerability due to the features visible to us in the management interface. For not breaking the operations of the app, we did not actually change the account password.

It is most likely also possible to modify existing data or create new records using the management interface.

Workaround

Disable remote access to the management interface at /_utils. Make sure that the account used in the app has only minimum permissions.

Suggested Mitigation

Only give accounts to be used in apps minimal permissions. They should not have access to any management interfaces, should not be able to change the account password, or alter any data such as stations or tours that are supposed to be read-only.

Timeline

  • 2016-11-29: Vulnerability Discovered
  • 2016-12-12: Reported
  • 2017-02-16: Fixed