Penetration Test of ManageEngine Password Manager Pro

Penetration Test of ManageEngine Password Manager Pro



The application ManageEngine Password Manager Pro was subjected to a penetration test by //SEIBERT/MEDIA to test the security of this software. After the problems noted in version 6.3 (build 6303) Windows have been corrected, this application will receive a Pentest Certificate "Silver" from //SEIBERT/MEDIA. We confirm that ManageEngine Password Manager Pro is a secure software.

Management Summary

Download this video (MP4, 15 MB)
You are interested in the security of ManageEngine Password Manager Pro. So are we! //SEIBERT/MEDIA is responsible for testing the security of ManageEngine Password Manager Pro regularly. This is an ongoing process, as the software is developed heavily by the vendor. From all that we know, ManageEngine Password Manager Pro is secure. We have found security issues in the past. And they have been fixed by the vendor instantly. No software is without bugs or holes.
Security comes from a process, that is consistent, profound and continous and a software vendor, that takes care of acting on issues fast. We try to achieve all this for you as a user of ManageEngine Password Manager Pro.

Overview of issues and needed actions

This is an overview of all security checks for which a defect or issue was found. All checks are divided into six categories of risk:
CategoryTitleDescriptionIssues foundFixed in newer versionVerified by //SEIBERT/MEDIA
0InformationNo risk, informative0
1HintA hint for a defect0
2RecommendationRecommendation for optimization2verification due 
3IssueIssue which needs to be corrected5verification due 
4CriticalHigh risk5verification due 
5SevereVery high risk1verification due 
The penetration test included the following components of the web application and the system configuration in version 6.3 (build 6303) Windows.

Module: System

Verification of SSL-TLS security

SSL/TLS is a protocol which resides in 6th level of the OSI stack. It is used for trusted and encrypted communication over unsecure networks.
This test was intended to verify the overall SSL/TLS configuration as well as the offered encryption methods and lengths.

Notes on system-side application configuration

This test describes the findings during the assessment on the system side which can't be assigned to a specific issue.

Old software versions

Old or non-patched software often is a serious security issue. Through a vulnerability, even an inexperienced attacker ('script kiddie') could gain root privileges or could harm the system in many any other ways, e.g. by executing a denial of service (DoS) attack, manipulate files and other.
This test checked for old software versions and its known vulnerabilities.

World-writable and world-readable critical files and folders

World-writable and world-readable files and folders can be a serious security issue. An attacker could add or modify files and by this compromise the security of the service and system or could acccess sensitive data with normal user privileges. It could also be possible that an attacker can access these files through another vulnerable service or system component.
In this test, the installation of PMP was checked for such files and folders.

Database configuration and files

A database management system (DBMS) often is the most crucial part of an application, because it holds most or all data. Customer- and useraccounts, bank accounts or product- and payment information must be stored securely so that only privileged user can access the data.
This test checked for incorrect database configuration and public or open database accounts.

Logging

It is common to enable logging for trouble- and performance analysis as well as access statistics. Especially debug log files often contain sensitive information like usernames, passwords and other information.
For this, all logfiles of the application installation are checked for such data.

Client plugins and addons

Client plugins can enhance and extend the functionality of a web application and often allow stronger interaction between the client's computer and the web application.
This test checked for security issues in the plugins implementation.

Module: Web Application

File upload checks

File uploads are common in today's web applications. These are often used to provide users with an option to attach various files in the application. Insufficent server-side checks can be a serious security issue, as an attacker could upload malicious files like HTML or Javascript or could place other files outside the application root.
This test checked for various common security issues like
  • Upload of HTML, Javascript and other potential malicious files
  • Handling of wrong MIME-Type
  • Handling of null byte chars
  • Header manipulation
  • Path traversal

Forgot-Password function

Most web applications allow users to reset their password if they have forgotten it, usually by sending them a password reset email and/or by asking them to answer one or more "security questions".
In this test, we checked that this function is properly implemented and that it does not introduce any flaw in the authentication scheme. We also checked whether the application allows the user to store the password in the browser ("remember password" function) or if the application allows autocomplete of Password fields.

Cookie attributes

The use of Session Cookies is the most common method for storing authentication information for a defined period a session after successful authentication. It is therefor crucial that these are protected with correct HTTP flags.
This test checked, which flags and values are set. These are:
  • Secure-Flag: Only permit the transmission over an encrypted connection. Otherwise it may be possible to read the Cookie values in cleartext.
  • httpOnly-Flag: Disable client side access to Cookies. This prevents, amongst other, the most common XSS attacks.
  • Domain-Flag: Scope of application.

Cross site request forgery (CSRF)

Cross site request forgery (CSRF) is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, it can compromise the entire web application.
This test checked for such CSRF flaws in the application.

Reflected Cross-Site Scripting (Type 1 XSS)

Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted pages. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
Reflected attacks are those where the injected code is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an email message, or on some other web server. When a user is tricked into clicking on a malicious link or submitting a specially crafted form, the injected code travels to the vulnerable web server, which reflects the attack back to the user's browser. The browser then executes the code because it came from a "trusted" server.
In this test the application was thoroughly checked for such reflected script vulnerabilities to disclose erroneous or incomplete protection measurements.

Persistent Cross-Site Scripting (Type 2 XSS)

Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted pages. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
Stored attacks are those where the injected code is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information.
In this test the application was thoroughly checked for such stored script vulnerabilities to disclose erroneous or incomplete protection measurements.
Labels:
None



Build-Access-Manage with dayaciptamandiri.com