14 Apr Security Advisory – SOS-15-004 – ClickSoftware ClickSchedule Multiple Security Vulnerabilities
Release Date: 14-Apr-2015
Last Update: –
Vendor Notification Date: 24-Jun-2014
Product: ClickSoftware ClickSchedule Web Application
Affected versions: –
Severity Rating: High
Impact: Privilege escalation
Manipulation of data
Attack Vector: Remote with authentication
Solution Status: Vendor patch
CVE reference: –
ClickSoftware ClickSchedule is a web application which provides workforce management and scheduling functionality to field engineers and managers. The ClickSchedule application and the backend web service have vertical and horizontal privilege escalation vulnerabilities which allow mobile users to impersonate other users by only knowing their username (without their password). The ClickSchedule web service which is connected with the web application itself has no access control after the initial NTLM authentication exchange. Also it uses the CallerIdentity and ID variables in requests as the user identity instead of the identity in the authenticated session data. This allows users to spoof their identities to manipulate the system logging or access control. Attackers can use these vulnerabilities to impersonate a privileged user to obtain unauthorised access to SAP resources or to manipulate SAP data which requires higher privileges.
Please refer to the PDF version of this advisory for proof of concept code examples.
Install the 8.2 Patch002 Security Enhancement .msi and follow the vendor
instructions contained in the security note.
Fatih Ozavci from Sense of Security Labs.