Medium Vulnerability Description:
WORKTERRA provides an interface for sending emails to administrators and WORKTERRA's customer support system. The backend does not rate-limit or validate the destination of these emails.
Impact:
A malicious user could use WORKTERRA servers as a spam delivery platform.
Verification and Attack Information:
Praetorian verified this finding by intercepting requests to the endpoint responsible for sending emails. A malicious user can modify the destination email address to any email address. Additionally, there are no controls in place to the number of emails sent within a given time frame. This finding was demonstrated by sending 50 emails to a test email account. The figure below shows that the emails are originating from WORKTERRA IP addresses.
Recommendation:
Validate the email's destination address on the server-side. Additionally, WORKTERRA should limit the number of emails that a user can send per-minute.
- relates to
-
ST-211 Restrict domain user for emails
-
- Closed
-
| Field | Original Value | New Value |
|---|---|---|
| Rank | Ranked higher |
| Assignee | Niteen Surwase [ niteen.surwase ] |
| Sprint | ST Sprint 2 [ 4 ] |
| Rank | Ranked lower |
| Status | New Request [ 10029 ] | Pending for Approval [ 10002 ] |
| Status | Pending for Approval [ 10002 ] | Approved for Development [ 10003 ] |
| Status | Approved for Development [ 10003 ] | In Development [ 10007 ] |
| Status | In Development [ 10007 ] | Local Testing [ 10200 ] |
Pages for Testing
1] SA login --> Customizer
--> What Have We Done For You Lately
--> Generate report and click on Share Icon
2] First Enable "Write to your Benefits Administrator /HR" option from SystemSetting for company
--> Login with that company employee
--> Click On "Click Here" button on Homepage for "Write to your Benefits Administrator /HR"
Please test for ToEmailField(Enable/Disabled), do not test validations.
| Assignee | Niteen Surwase [ niteen.surwase ] | Amit Gude [ amitg ] |
Assigning to Zeeshan
| Assignee | Amit Gude [ amitg ] | Zeeshan Chishty [ zeeshan.chishty ] |
Note
"Completed working on hiding To emailID list on pages where To list text box was disabled. Changes has been checked In into LB.
Need to find customization for restricting user sending 50 emails in time frame. We should allow only 20 email in a minute from one domain user."
| Issue Importance | Must Have [ 11800 ] |
Zeeshan Chishty (Inactive)
made changes -
| Assignee | Zeeshan Chishty [ zeeshan.chishty ] | Niteen Surwase [ niteen.surwase ] |
Zeeshan Chishty (Inactive)
made changes -
| Labels | Security |
| Item State | Parent values: Development(10200)Level 1 values: In Progress(10206) | Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) |
| Module | Parent values: BenAdmin(10100) | Parent values: BenAdmin(10100)Level 1 values: Security(10112) |
| Item State | Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) | Parent values: LB QA(10201)Level 1 values: In Testing(10210) |
Code check-in on LB and Local for Candidate Feedback (via Candidate Login) and Removed Tomail field
Also Code enhanced with Page Specific Session for Employee Feedback as well as Candidate Feedback.
Candidate Login required to check that.
Niteen Surwase who is testing this?
Vijayendra ShindeZeeshan Chishty
| Assignee | Niteen Surwase [ niteen.surwase ] | Venkatesh Pujari [ venkatesh.pujari ] |
Tested both the steps given by Niteen.
Working fine as expected.
Ready for Stage
| Item State | Parent values: LB QA(10201)Level 1 values: In Testing(10210) | Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) |
| Item State | Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) | Parent values: LB QA(10201)Level 1 values: In Testing(10210) |
| Developer | Niteen Surwase [ niteen.surwase ] |
| Item State | Parent values: LB QA(10201)Level 1 values: In Testing(10210) | Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) |
| Item State | Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) | Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602) |
| Status | Local Testing [ 10200 ] | Pending for Stage Approval [ 10300 ] |
| Status | Pending for Stage Approval [ 10300 ] | Approved for Stage [ 10030 ] |
| Item State | Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602) | Parent values: LB QA(10201)Level 1 values: On Hold(10211) |
| Item State | Parent values: LB QA(10201)Level 1 values: On Hold(10211) | Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602) |
Testing done on Stage for SA login and candidate log in functionality working properly.
But for Write to your Benefits Administrator /HR and Feedback about Benefits Enrollment System functionality not working as per implementation.
Reopening the ticket.
Thanks,
Venkatesh.
| Item State | Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602) | Parent values: Stage QA(10202)Level 1 values: Re-open(10216) |
| Assignee | Venkatesh Pujari [ venkatesh.pujari ] | Niteen Surwase [ niteen.surwase ] |
| Item State | Parent values: Stage QA(10202)Level 1 values: Re-open(10216) | Parent values: Stage QA(10202)Level 1 values: In Testing(10214) |
| Assignee | Niteen Surwase [ niteen.surwase ] | Venkatesh Pujari [ venkatesh.pujari ] |
I have checked it on CSS for HSPL company employee and it is working correctly.
Please verify again.
Testing done on Stage for SA login and candidate log in functionality working properly. Employee log in Write to your Benefits Administrator /HR and Feedback about Benefits Enrollment System functionality also working fine.
Ready for Production.
| Item State | Parent values: Stage QA(10202)Level 1 values: In Testing(10214) | Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217) |
| Production Due Date | 21/Jun/2016 |
| Item State | Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217) | Parent values: Production QA(10203)Level 1 values: Production Deployed(10221) |
| Status | Approved for Stage [ 10030 ] | Stage Testing [ 10201 ] |
| Status | Stage Testing [ 10201 ] | Pending for Production Approval [ 10301 ] |
| Status | Pending for Production Approval [ 10301 ] | Approved for production [ 10034 ] |
| Attachment | server_error.png [ 20408 ] |
| Item State | Parent values: Production QA(10203)Level 1 values: Production Deployed(10221) | Parent values: Production QA(10203)Level 1 values: Re-open(10220) |
Tested on Production with SA login server error is being displayed on click of send button.
Please refer attached screen shot.
Reopening the ticket
| Assignee | Venkatesh Pujari [ venkatesh.pujari ] | Niteen Surwase [ niteen.surwase ] |
| Status | Approved for production [ 10034 ] | Production Testing [ 10202 ] |
| Status | Production Testing [ 10202 ] | Reopen in Production [ 10027 ] |
| Assignee | Niteen Surwase [ niteen.surwase ] | Vijayendra Shinde [ ID10506 ] |
| Comment |
[ *Error Log:* Exception : File \\10.145.65.75\WORKterra\Temp\InforGraphics_23_8_56_110935.pdf does not exist. Message not sent.ERROR OCCURED IN attachementError App Error Log : ControllerAppTier.Save->WORKTERRAControllerAppTier.Save->CommonFunctions.SendEmployeeFeedbackEmailNotification Employee ID : 0 Action Name : EmployeeFeedback Model : System.Web.Mvc.HandleErrorInfo Controller : PTHomePage Web Error Log : at WORKTERRA.Shared.WORKTERRAControllerWebTier.Save(ObjectType I_objectType, Object objInputObject, Object I_context, Boolean I_mode) at WORKTERRA.Models.EmployeeFeedbackModel.SendEmployeeFeedBackNotification() at WORKTERRA.Shared.Controllers.PTHomePageController.EmployeeFeedback(EmployeeFeedbackModel ObjEmployeeFeedbackModel) at lambda_method(Closure , ControllerBase , Object[] ) at System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) at System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters) at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters) at System.Web.Mvc.ControllerActionInvoker.<>c__DisplayClass13.<InvokeActionMethodWithFilters>b__10() at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func`1 continuation) at System.Web.Mvc.ControllerActionInvoker.<>c__DisplayClass13.<>c__DisplayClass15.<InvokeActionMethodWithFilters>b__12() at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func`1 continuation) at System.Web.Mvc.ControllerActionInvoker.<>c__DisplayClass13.<>c__DisplayClass15.<InvokeActionMethodWithFilters>b__12() at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodWithFilters(ControllerContext controllerContext, IList`1 filters, ActionDescriptor actionDescriptor, IDictionary`2 parameters) at System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) ] |
| Attachment | Error Log.txt [ 27187 ] |
Hi Venkatesh Pujari,
This issue has been fixed on Production. It was due to configuration issue. Patch has been deployed on Production. You can verify this and close this ticket.
Thanks.
| Assignee | Vijayendra Shinde [ ID10506 ] | Venkatesh Pujari [ venkatesh.pujari ] |
| Status | Reopen in Production [ 10027 ] | In Development [ 10007 ] |
| Status | In Development [ 10007 ] | Local Testing [ 10200 ] |
| Status | Local Testing [ 10200 ] | Pending for Stage Approval [ 10300 ] |
| Status | Pending for Stage Approval [ 10300 ] | Approved for Stage [ 10030 ] |
| Status | Approved for Stage [ 10030 ] | Stage Testing [ 10201 ] |
| Status | Stage Testing [ 10201 ] | Pending for Production Approval [ 10301 ] |
| Status | Pending for Production Approval [ 10301 ] | Approved for production [ 10034 ] |
| Status | Approved for production [ 10034 ] | Production Testing [ 10202 ] |
| Item State | Parent values: Production QA(10203)Level 1 values: Re-open(10220) | Parent values: Production QA(10203)Level 1 values: In Testing(10218) |
| Item State | Parent values: Production QA(10203)Level 1 values: In Testing(10218) | Parent values: Production QA(10203)Level 1 values: On Hold(10219) |
| Assignee | Venkatesh Pujari [ venkatesh.pujari ] | Niteen Surwase [ niteen.surwase ] |
| Resolution | Fixed [ 1 ] | |
| Status | Production Testing [ 10202 ] | Production Complete [ 10028 ] |
| Item State | Parent values: Production QA(10203)Level 1 values: On Hold(10219) | Parent values: Production Complete(10222)Level 1 values: Closed(10223) |
| Assignee | Niteen Surwase [ niteen.surwase ] | Vijayendra Shinde [ ID10506 ] |
| Assignee | Vijayendra Shinde [ ID10506 ] | Rakesh Roy [ rakeshr ] |
| Status | Production Complete [ 10028 ] | Closed [ 6 ] |
| Assignee | Rakesh Roy [ rakeshr ] | Mahendra Mungase [ mahendra.mungase ] |
| Item State | Parent values: Production Complete(10222)Level 1 values: Closed(10223) | Parent values: Production QA(10203)Level 1 values: Re-open(10220) |
| Comment | [ [~mahendra.mungase] Please check this on weekend after OE testing. ] |
| Assignee | Mahendra Mungase [ mahendra.mungase ] | Hrishikesh Deshpande [ hrishikesh.deshpande ] |
| Assignee | Hrishikesh Deshpande [ hrishikesh.deshpande ] | Rashmita Dudhe [ rashmita.dudhe ] |
Testing in progress
| Item State | Parent values: Production QA(10203)Level 1 values: Re-open(10220) | Parent values: Production Complete(10222)Level 1 values: Closed(10223) |
| Transition | Time In Source Status | Execution Times |
|---|
|
26m 7s | 1 |
|
5s | 1 |
|
10s | 1 |
|
1s | 1 |
|
91d 17h 22m | 1 |
|
2d 21h 56m | 2 |
|
70d 19h 56m | 2 |
|
10s | 2 |
|
5d 3h 2m | 2 |
|
5s | 2 |
|
6s | 2 |
|
2h 38m | 2 |
|
62d 8h 31m | 1 |
|
2d 50m | 1 |
Locations where changes needs to be done-
1)D:\WT\Trunk\Web\Web Projects\BenAdmin\Areas\Customization\Models\PlanDesign\PlanDesignEditContactModel.cs
2)WORKTERA HomeCompany HomeBenAdmin HomeBenAdmin Company HomeBenefit Providers
BenefitProviderModel.cs//
3)AdminUserPVModel.cs//
4)CompanyContactFormPVModel.cs //
5)SystemUserModel.cs//
6)QEEmailNotificationModel.cs// FROM/BCC
7)EmailMessageFormatModel.cs// from/bcc
8)EmpListAndEmailPVModel.cs//
9)IncompleteEnrollmentModel.cs//
10)/branches/Production/Web/Web Projects/WORKTERRA/Areas/Customization/Models/EDI/TemplateSettingsModel.cs
11)/branches/Production/Web/Web Projects/WORKTERRA/Areas/Customization/Models/EDI/TemplateDeliveryModel.cs
12)/branches/Production/Web/Web Projects/WORKTERRA/Areas/Customization/Models/EDI/GroupTemplateInformationModel.cs
13)/branches/Production/Web/Web Projects/WORKTERRA/Areas/Customization/Models/EDI/GroupTemplateDeliveryModel.cs
14)/branches/Production/Web/Web Projects/WORKTERRA/Scripts/ImportExportTemplateManagement_MVC.js
15)/branches/Production/Web/Web Projects/WORKTERRA/Scripts/GroupTemplateManagement.js
16)/branches/Production/Web/Web Projects/WORKTERRA/Areas/Customization/Views/Customization/EDI/TemplateSettings.cshtml
17)/branches/Production/Web/Web Projects/WORKTERRA/Areas/Customization/Views/Customization/EDI/TemplateDelivery.cshtml
18)/branches/Production/Web/Web 19)Projects/WORKTERRA/Areas/Customization/Views/Customization/EDI/GroupTemplateInformation.cshtml
20)/branches/Production/Web/Web Projects/WORKTERRA/Areas/Customization/Views/Customization/EDI/GroupTemplateDelivery.cshtml
21)/branches/Production/Web/Web Projects/BenAdmin/Areas/Customization/Views/Customization/BenefitProvider/AddBenefitProvider.cshtml