[ST-114] Insufficient Email Authorization Controls - Workterra Jira

Details

Type: Change Request
Status: Closed
Priority: Medium
Resolution: Done
Component/s: BenAdmin
Labels:
- Security

Module:
BenAdmin - Security
Reported by:
Support
Item State:
Production Complete - Closed
Issue Importance:
Must Have
Sprint:
ST Sprint 2

Description

Vulnerability Description:
WORKTERRA provides an interface for sending emails to administrators and WORKTERRA's customer support system. The backend does not rate-limit or validate the destination of these emails.

Impact:
A malicious user could use WORKTERRA servers as a spam delivery platform.

Verification and Attack Information:
Praetorian verified this finding by intercepting requests to the endpoint responsible for sending emails. A malicious user can modify the destination email address to any email address. Additionally, there are no controls in place to the number of emails sent within a given time frame. This finding was demonstrated by sending 50 emails to a test email account. The figure below shows that the emails are originating from WORKTERRA IP addresses.

Recommendation:
Validate the email's destination address on the server-side. Additionally, WORKTERRA should limit the number of emails that a user can send per-minute.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

Error Log.txt
2 kB
20/Sep/16 06:36 AM
server_error.png
194 kB
22/Jun/16 12:03 PM

Issue Links

relates to

ST-211 Restrict domain user for emails

Closed

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Vijayendra Shinde (Inactive) added a comment - 04/Apr/16 12:08 PM

Locations where changes needs to be done-

1)D:\WT\Trunk\Web\Web Projects\BenAdmin\Areas\Customization\Models\PlanDesign\PlanDesignEditContactModel.cs
2)WORKTERA HomeCompany HomeBenAdmin HomeBenAdmin Company HomeBenefit Providers
BenefitProviderModel.cs//
3)AdminUserPVModel.cs//
4)CompanyContactFormPVModel.cs //
5)SystemUserModel.cs//
6)QEEmailNotificationModel.cs// FROM/BCC
7)EmailMessageFormatModel.cs// from/bcc
8)EmpListAndEmailPVModel.cs//
9)IncompleteEnrollmentModel.cs//
10)/branches/Production/Web/Web Projects/WORKTERRA/Areas/Customization/Models/EDI/TemplateSettingsModel.cs
11)/branches/Production/Web/Web Projects/WORKTERRA/Areas/Customization/Models/EDI/TemplateDeliveryModel.cs
12)/branches/Production/Web/Web Projects/WORKTERRA/Areas/Customization/Models/EDI/GroupTemplateInformationModel.cs
13)/branches/Production/Web/Web Projects/WORKTERRA/Areas/Customization/Models/EDI/GroupTemplateDeliveryModel.cs
14)/branches/Production/Web/Web Projects/WORKTERRA/Scripts/ImportExportTemplateManagement_MVC.js
15)/branches/Production/Web/Web Projects/WORKTERRA/Scripts/GroupTemplateManagement.js
16)/branches/Production/Web/Web Projects/WORKTERRA/Areas/Customization/Views/Customization/EDI/TemplateSettings.cshtml
17)/branches/Production/Web/Web Projects/WORKTERRA/Areas/Customization/Views/Customization/EDI/TemplateDelivery.cshtml
18)/branches/Production/Web/Web 19)Projects/WORKTERRA/Areas/Customization/Views/Customization/EDI/GroupTemplateInformation.cshtml
20)/branches/Production/Web/Web Projects/WORKTERRA/Areas/Customization/Views/Customization/EDI/GroupTemplateDelivery.cshtml
21)/branches/Production/Web/Web Projects/BenAdmin/Areas/Customization/Views/Customization/BenefitProvider/AddBenefitProvider.cshtml

Show

Vijayendra Shinde (Inactive) added a comment - 04/Apr/16 12:08 PM Locations where changes needs to be done- 1)D:\WT\Trunk\Web\Web Projects\BenAdmin\Areas\Customization\Models\PlanDesign\PlanDesignEditContactModel.cs 2)WORKTERA HomeCompany HomeBenAdmin HomeBenAdmin Company HomeBenefit Providers BenefitProviderModel.cs// 3)AdminUserPVModel.cs// 4)CompanyContactFormPVModel.cs // 5)SystemUserModel.cs// 6)QEEmailNotificationModel.cs// FROM/BCC 7)EmailMessageFormatModel.cs// from/bcc 8)EmpListAndEmailPVModel.cs// 9)IncompleteEnrollmentModel.cs// 10)/branches/Production/Web/Web Projects/WORKTERRA/Areas/Customization/Models/EDI/TemplateSettingsModel.cs 11)/branches/Production/Web/Web Projects/WORKTERRA/Areas/Customization/Models/EDI/TemplateDeliveryModel.cs 12)/branches/Production/Web/Web Projects/WORKTERRA/Areas/Customization/Models/EDI/GroupTemplateInformationModel.cs 13)/branches/Production/Web/Web Projects/WORKTERRA/Areas/Customization/Models/EDI/GroupTemplateDeliveryModel.cs 14)/branches/Production/Web/Web Projects/WORKTERRA/Scripts/ImportExportTemplateManagement_MVC.js 15)/branches/Production/Web/Web Projects/WORKTERRA/Scripts/GroupTemplateManagement.js 16)/branches/Production/Web/Web Projects/WORKTERRA/Areas/Customization/Views/Customization/EDI/TemplateSettings.cshtml 17)/branches/Production/Web/Web Projects/WORKTERRA/Areas/Customization/Views/Customization/EDI/TemplateDelivery.cshtml 18)/branches/Production/Web/Web 19)Projects/WORKTERRA/Areas/Customization/Views/Customization/EDI/GroupTemplateInformation.cshtml 20)/branches/Production/Web/Web Projects/WORKTERRA/Areas/Customization/Views/Customization/EDI/GroupTemplateDelivery.cshtml 21)/branches/Production/Web/Web Projects/BenAdmin/Areas/Customization/Views/Customization/BenefitProvider/AddBenefitProvider.cshtml

Hide

Permalink

Niteen Surwase (Inactive) added a comment - 07/Apr/16 10:33 AM

Pages for Testing
1] SA login --> Customizer
--> What Have We Done For You Lately
--> Generate report and click on Share Icon
2] First Enable "Write to your Benefits Administrator /HR" option from SystemSetting for company
--> Login with that company employee
--> Click On "Click Here" button on Homepage for "Write to your Benefits Administrator /HR"

Please test for ToEmailField(Enable/Disabled), do not test validations.

Show

Niteen Surwase (Inactive) added a comment - 07/Apr/16 10:33 AM Pages for Testing 1] SA login --> Customizer --> What Have We Done For You Lately --> Generate report and click on Share Icon 2] First Enable "Write to your Benefits Administrator /HR" option from SystemSetting for company --> Login with that company employee --> Click On "Click Here" button on Homepage for "Write to your Benefits Administrator /HR" Please test for ToEmailField(Enable/Disabled), do not test validations.

Hide

Permalink

Amit Gude (Inactive) added a comment - 20/Apr/16 09:04 AM

Assigning to Zeeshan

Show

Amit Gude (Inactive) added a comment - 20/Apr/16 09:04 AM Assigning to Zeeshan

Hide

Permalink

Niteen Surwase (Inactive) added a comment - 25/Apr/16 12:11 PM

Note
"Completed working on hiding To emailID list on pages where To list text box was disabled. Changes has been checked In into LB.

Need to find customization for restricting user sending 50 emails in time frame. We should allow only 20 email in a minute from one domain user."

Show

Niteen Surwase (Inactive) added a comment - 25/Apr/16 12:11 PM Note "Completed working on hiding To emailID list on pages where To list text box was disabled. Changes has been checked In into LB. Need to find customization for restricting user sending 50 emails in time frame. We should allow only 20 email in a minute from one domain user."

Hide

Permalink

Niteen Surwase (Inactive) added a comment - 03/Jun/16 12:56 PM - edited

Code check-in on LB and Local for Candidate Feedback (via Candidate Login) and Removed Tomail field
Also Code enhanced with Page Specific Session for Employee Feedback as well as Candidate Feedback.

Candidate Login required to check that.

Show

Niteen Surwase (Inactive) added a comment - 03/Jun/16 12:56 PM - edited Code check-in on LB and Local for Candidate Feedback (via Candidate Login) and Removed Tomail field Also Code enhanced with Page Specific Session for Employee Feedback as well as Candidate Feedback. Candidate Login required to check that.

Hide

Permalink

Rakesh Roy (Inactive) added a comment - 11/Jun/16 04:16 PM

Niteen Surwase who is testing this?
Vijayendra Shinde Zeeshan Chishty

Show

Rakesh Roy (Inactive) added a comment - 11/Jun/16 04:16 PM Niteen Surwase who is testing this? Vijayendra Shinde Zeeshan Chishty

Hide

Permalink

Venkatesh Pujari (Inactive) added a comment - 14/Jun/16 05:40 AM

Tested both the steps given by Niteen.
Working fine as expected.

Ready for Stage

Show

Venkatesh Pujari (Inactive) added a comment - 14/Jun/16 05:40 AM Tested both the steps given by Niteen. Working fine as expected. Ready for Stage

Hide

Permalink

Venkatesh Pujari (Inactive) added a comment - 20/Jun/16 06:07 AM

Testing done on Stage for SA login and candidate log in functionality working properly.
But for Write to your Benefits Administrator /HR and Feedback about Benefits Enrollment System functionality not working as per implementation.

Reopening the ticket.

Thanks,
Venkatesh.

Show

Venkatesh Pujari (Inactive) added a comment - 20/Jun/16 06:07 AM Testing done on Stage for SA login and candidate log in functionality working properly. But for Write to your Benefits Administrator /HR and Feedback about Benefits Enrollment System functionality not working as per implementation. Reopening the ticket. Thanks, Venkatesh.

Hide

Permalink

Niteen Surwase (Inactive) added a comment - 20/Jun/16 06:25 AM

Hi Venkatesh Pujari

I have checked it on CSS for HSPL company employee and it is working correctly.
Please verify again.

Show

Niteen Surwase (Inactive) added a comment - 20/Jun/16 06:25 AM Hi Venkatesh Pujari I have checked it on CSS for HSPL company employee and it is working correctly. Please verify again.

Hide

Permalink

Venkatesh Pujari (Inactive) added a comment - 20/Jun/16 06:35 AM

Testing done on Stage for SA login and candidate log in functionality working properly. Employee log in Write to your Benefits Administrator /HR and Feedback about Benefits Enrollment System functionality also working fine.

Ready for Production.

Show

Venkatesh Pujari (Inactive) added a comment - 20/Jun/16 06:35 AM Testing done on Stage for SA login and candidate log in functionality working properly. Employee log in Write to your Benefits Administrator /HR and Feedback about Benefits Enrollment System functionality also working fine. Ready for Production.

Hide

Permalink

Venkatesh Pujari (Inactive) added a comment - 22/Jun/16 12:03 PM

Tested on Production with SA login server error is being displayed on click of send button.

Please refer attached screen shot.

Reopening the ticket

Show

Venkatesh Pujari (Inactive) added a comment - 22/Jun/16 12:03 PM Tested on Production with SA login server error is being displayed on click of send button. Please refer attached screen shot. Reopening the ticket

Hide

Permalink

Vijayendra Shinde (Inactive) added a comment - 21/Sep/16 09:11 AM

Hi Venkatesh Pujari,

This issue has been fixed on Production. It was due to configuration issue. Patch has been deployed on Production. You can verify this and close this ticket.

Thanks.

Show

Vijayendra Shinde (Inactive) added a comment - 21/Sep/16 09:11 AM Hi Venkatesh Pujari , This issue has been fixed on Production. It was due to configuration issue. Patch has been deployed on Production. You can verify this and close this ticket. Thanks.

Hide

Permalink

Rashmita Dudhe (Inactive) added a comment - 28/Nov/16 12:59 PM

Testing in progress

Show

Rashmita Dudhe (Inactive) added a comment - 28/Nov/16 12:59 PM Testing in progress

People

Assignee:: Rashmita Dudhe (Inactive)

Reporter:: Vijayendra Shinde (Inactive)

Developer:: Niteen Surwase (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 04/Apr/16 12:03 PM

Updated:: 21/Dec/16 02:18 PM

Resolved:: 23/Nov/16 12:57 PM

Production Due Date:: 21/Jun/2016