Vulnerabilities identified in PrinterLogic’s enterprise management printer solution could expose organizations to authentication bypass, SQL injection, cross-site scripting (XSS) and other types of attacks.
PrinterLogic’s platform allows organizations to manage all printers within their environments from a single console.
An analysis of the PrinterLogic SaaS platform and of the source code of the Virtual Appliance available on PrinterLogic’s website (Build 1.0.757) has revealed 18 vulnerabilities that could allow attackers to bypass authentication, inject code, and expose credentials, among others. The analysis was conducted by security researchers at Australian employment marketplace Seek.
One major issue the researchers discovered is that the platform is susceptible to an authentication bypass attack, allowing unauthenticated third-parties to access administrative scripts and modify the service’s configuration.
The bug exists because the application lacks a central framework for authentication and authorization handling. The individual PHP files need to implement the necessary checks instead, but, because some files lack these checks, unauthenticated access is possible via their direct URLs.
Another major problem the researchers have discovered is that the platform uses a flawed mechanism for preventing SQL injection, and that no input validation is present in some cases, which could lead to SQL injection.
The researchers also discovered multiple XSS flaws in the application, which could be exploited to hijack administrator accounts by leaking user session cookies. Furthermore, because the application does not issue a new session identifier after login, an attacker in possession of a session ID could use it to bypass authentication.
When logging in as admin, the URL contains the encoded password, which could be leaked via “referrer headers, browser history, server logs, proxy logs, URL shortening services,” and more, the researchers say.
The application was also found to log requests that may contain passwords in plaintext and to store passwords using unsalted SHA1 hashing. When transmitting usernames and passwords, the application uses a double base64 encoding for obfuscation, but attackers can easily recover these credentials.
The researchers also discovered that no cross-site request forgery (CSRF) checks are enforced for most forms, that the application allows admins to manually upload printer drivers with known vulnerabilities or which have not been cryptographically signed with valid certificates, and that it lacks authorization checks.
Other identified issues include the enumeration of user emails via the forgot password function, the inclusion of an arbitrary URL in an iframe (leading to untrusted file downloads), the possibility to rename a host to impersonate another machine, OAuth authentication bypass, cookie values included in the page body, and the use of known vulnerable JavaScript libraries.
The researchers initiated the responsible disclosure process in February, but the vendor has yet to provide a patch time frame. The company did note that some issues impact legacy code and at least one flaw will not be patched.
Related: PrinterLogic Patches Code Execution Flaws in Printer Management Suite
Related: Critical Vulnerability Impacts Over 120 Lexmark Printers
Related: Serious Vulnerability Exploited at Hacking Contest Impacts Over 200 HP Printers
