TRUfusion Enterprise Hard-Coded Cryptographic Key Vulnerability Allowing Session Cookie Forgery

A vulnerability in TRUfusion Enterprise versions through 7.10.4.0 allows for session cookie forgery due to the use of a hard-coded cryptographic key. The application encrypts authentication cookies with a static key, enabling unauthorized access to sensitive internal information by bypassing authentication. Exploitation of this vulnerability can be done by manipulating the 'COOKIEID' or 'ADMINCOOKIEID' cookies, which are used to authenticate users on certain endpoints, such as '/trufusionPortal/getProjectList'.

Impact

Exploitation of this vulnerability allows an unauthenticated attacker to gain access to any user's account on TRUfusion Enterprise.

Reproduction

The vulnerability can be reproduced by using the hard-coded IDEA key '1234567890123456' to encrypt user IDs, creating valid 'COOKIEID' or 'ADMINCOOKIEID' cookies. These forged cookies can then be used to authenticate as the corresponding user on the TRUfusion Enterprise application.

Remediation

Users are advised to update to TRUfusion Enterprise versions 7.10.3.1, 7.10.1.1, 7.10.1.0, 7.10.3.0, 7.9.4.0, 7.9.6.1, 7.9.6.0, 7.9.3.0, 7.9.3.1, 7.9.2.1, 7.10.0.1, 7.9.5.0 or 7.10.2.0.