Uploaded image for project: 'Project Simple'
  1. Project Simple
  2. ST-114

Insufficient Email Authorization Controls

    Details

    • Type: Change Request
    • Status: Closed
    • Priority: Medium
    • Resolution: Done
    • Component/s: BenAdmin
    • Labels:
    • Module:
      BenAdmin - Security
    • Reported by:
      Support
    • Item State:
      Production Complete - Closed
    • Issue Importance:
      Must Have
    • Sprint:
      ST Sprint 2

      Description

      Vulnerability Description:
      WORKTERRA provides an interface for sending emails to administrators and WORKTERRA's customer support system. The backend does not rate-limit or validate the destination of these emails.

      Impact:
      A malicious user could use WORKTERRA servers as a spam delivery platform.

      Verification and Attack Information:
      Praetorian verified this finding by intercepting requests to the endpoint responsible for sending emails. A malicious user can modify the destination email address to any email address. Additionally, there are no controls in place to the number of emails sent within a given time frame. This finding was demonstrated by sending 50 emails to a test email account. The figure below shows that the emails are originating from WORKTERRA IP addresses.

      Recommendation:
      Validate the email's destination address on the server-side. Additionally, WORKTERRA should limit the number of emails that a user can send per-minute.

        Attachments

          Issue Links

            Activity

            Hide
            niteen.surwase Niteen Surwase (Inactive) added a comment -

            Hi Venkatesh Pujari

            I have checked it on CSS for HSPL company employee and it is working correctly.
            Please verify again.

            Show
            niteen.surwase Niteen Surwase (Inactive) added a comment - Hi Venkatesh Pujari I have checked it on CSS for HSPL company employee and it is working correctly. Please verify again.
            Hide
            venkatesh.pujari Venkatesh Pujari (Inactive) added a comment -

            Testing done on Stage for SA login and candidate log in functionality working properly. Employee log in Write to your Benefits Administrator /HR and Feedback about Benefits Enrollment System functionality also working fine.

            Ready for Production.

            Show
            venkatesh.pujari Venkatesh Pujari (Inactive) added a comment - Testing done on Stage for SA login and candidate log in functionality working properly. Employee log in Write to your Benefits Administrator /HR and Feedback about Benefits Enrollment System functionality also working fine. Ready for Production.
            Hide
            venkatesh.pujari Venkatesh Pujari (Inactive) added a comment -

            Tested on Production with SA login server error is being displayed on click of send button.

            Please refer attached screen shot.

            Reopening the ticket

            Show
            venkatesh.pujari Venkatesh Pujari (Inactive) added a comment - Tested on Production with SA login server error is being displayed on click of send button. Please refer attached screen shot. Reopening the ticket
            Hide
            vijayendra Vijayendra Shinde (Inactive) added a comment -

            Hi Venkatesh Pujari,

            This issue has been fixed on Production. It was due to configuration issue. Patch has been deployed on Production. You can verify this and close this ticket.

            Thanks.

            Show
            vijayendra Vijayendra Shinde (Inactive) added a comment - Hi Venkatesh Pujari , This issue has been fixed on Production. It was due to configuration issue. Patch has been deployed on Production. You can verify this and close this ticket. Thanks.
            Hide
            rashmita.dudhe Rashmita Dudhe (Inactive) added a comment -

            Testing in progress

            Show
            rashmita.dudhe Rashmita Dudhe (Inactive) added a comment - Testing in progress

              People

              Assignee:
              rashmita.dudhe Rashmita Dudhe (Inactive)
              Reporter:
              vijayendra Vijayendra Shinde (Inactive)
              Developer:
              Niteen Surwase (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Production Due Date: