Re: HP Quality Center vulnerability

[Pavel Kankovsky <peak () argo troja mff cuni cz>]

On Mon, 23 Feb 2009 info () exposit co uk wrote:

> The front-end of the application is composed of COM components that plug
> into the web browser. [...]
> In order to optimize the interaction speed of the application, a cache
> folder is created on the client machine. [...] Indeed, those files are
> required on the client machine because the workflow is execute on the
> client, not on the server. [...]
> If a user modifies this file and then mark it as read-only, he can
> execute arbitrary code. As the OTA API allows access to the database, he
> can also modify the data stored in the database as follows:

You say you can execute arbitrary code on your computer (under your own 
account)? What an amazing exploit! (pun intended)

Any client-server application depending on the client side not being
messed with by its user is *broken by design*. It does not matter
whether the messing in question is easy (like putting a VB script in the
right directory) or difficult (like attaching a debugger to a running
process and flipping bits in its memory space).

> Please note that HP has released a patch that fixes this issue, please 
> contact HP support for further details.

I wonder what kind of fix has been released. Does anyone think they solved 
the REAL problem?

-- 
Pavel Kankovsky aka Peak                          / Jeremiah 9:21        \
"For death is come up into our MS Windows(tm)..." \ 21th century edition /