Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: bt306.txt

P-Synch Password Management Multiple Vulnerabilities CGI:

Multiple Vulnerabilities In P-Synch Password Management


The other night I came across a server running P-Synch. 

I had never heard of it so i was curious to poke around 

on it a bit. Within an hour i found the vulns listed below. 

Im pretty sure there are other more serious vulns in 

P-Synch, but they are very picky about who they give thier

software to, even an evaluation version. So was not able

to test any further. However i encourage any admins running

P-Synch to poke around on it, just to be on the safe side.



P-Synch Total Password Management Solution  


P-Synch is a total password management solution. It is 

intended to reduce the cost of ownership of password systems, 

and simultaneously improve the security of password protected 

systems. This is done through: -Password Synchronization. 

-Enforcing an enterprise wide password strength policy. 

-Allowing authenticated users to reset their own forgotten 

passwords and enable their locked out accounts. -Streamlining 

help desk call resolution for password resets. P-Synch is 

available for both internal use, on the corporate Intranet, 

as well as for the Internet deployment in B2B and B2C 




All of these problems are simple, self explanatory vulns

so, i'm sure the below examples will speak for themselves.

Once again this application was NOT thoroughly researced.

So anyone with a copy of P-Synch might wanna explore it


Path Disclosure Vulnerability




Code Injection Vulnerability


https://path/to/psynch/nph-psf.exe?css=">[VBScript, JScript etc]

https://path/to/psynch/nph-psa.exe?css=">[VBScript, JScript etc]

File Include Vulnerability






All credits go to JeiAr of GulfTech Computers and CSA 

Security Research

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH