[VIM] [OSVDB Mods] [Change Request] 23617: Kwik-Pay Payroll KwikPay.mdb Information Disclosure

Steve Tornio steve at vitriol.net
Thu Feb 15 20:22:32 EST 2007 

Kwik-Pay Support wrote:
> It's just that the kwikpay.mdb file contains fictitious demonstration data - not
> any sensitive employment or payment related data. It implies that a file that
> was never intended to be secured should be secured.


So, your objection is due to the inclusion of an actual filename?  We're 
all agreed that the contents of databases prior to version 4.2.22 were 
trivially accessible to a local user?

> 
> It only applies if the user themselves create their own payroll database in the
> installation directory. The software itself does not force any user payroll
> database to be created there - it is only created there if the user specifically
> requests it!
> 
> I'd prefer if the whole report was removed as we believe that it was created by
> people who did not understand how the system worked, and did not even contact us
> to find out before they created the report!

If the databases are trivially accessible by local users, then the entry 
will certainly stay.  Most installations will follow the path of least 
resistance, and unless the program requires an encrypted database, then 
this is a legitimate concern.


> 
> p.s. I had some correspondence with Brian yesterday. Is he always so offensive?
> 

OSVDB is a volunteer effort, staffed by people whose only goal is to 
provide a comprehensive, accurate database of reported computer and 
network security vulnerabilities.  Brian has been a key force in making 
our database as complete and accurate as we can make it, with no 
compensation and little recognition.  I'm proud to work with him for an 
equivalent amount of compensation and recognition.

So, when we are approached by someone, and the very first accusatory 
words of his email are, "It has just been brought to our attention that 
you have created this 'security problem' regarding our software," we 
don't feel the need to mince words.  The vulnerability was created by an 
oversight in the development of the application, it was reported by 
independent researchers, and then recorded in our database, as 
accurately as we are able.  We are happy to correct errors in the 
database.  We are not as happy to take ill-founded abuse as we do it.

I will update our description to remove the offending file name, as it 
sounds like a more accurate description of the vulnerability.

Thanks,
Steve Tornio
osvdb.org

More information about the VIM mailing list