T
Tony
I think I found a security hole in PDS that's simple to exploit. I'm
hoping someone knows how I can close this up because it's a snap to
exploit.
Build a web page or start a VB project that makes an XML call for the
<Request><GetLoginInformation/></Request> command. What gets returned
is the db login for the MSPServerUser. Note, this is not restricted to
Admins only: Project Managers, Portfolio Managers and Resource Managers
can all make this call (Team Members, Team Leaders and Executives get a
50 status returned). With this login, they have unrestricted access to
the database.
The database login is returned in human readable format to people who
are not admins--this poses a significant security risk, especially
because it's so easy to exploit.
Is there a way to close this hole?
Best,
-Tony
hoping someone knows how I can close this up because it's a snap to
exploit.
Build a web page or start a VB project that makes an XML call for the
<Request><GetLoginInformation/></Request> command. What gets returned
is the db login for the MSPServerUser. Note, this is not restricted to
Admins only: Project Managers, Portfolio Managers and Resource Managers
can all make this call (Team Members, Team Leaders and Executives get a
50 status returned). With this login, they have unrestricted access to
the database.
The database login is returned in human readable format to people who
are not admins--this poses a significant security risk, especially
because it's so easy to exploit.
Is there a way to close this hole?
Best,
-Tony