Kwik-Pay Payroll insecure database file permissions
| kwikpay-payroll-insecure-permissions (25114) |  Low Risk |
Description:
Kwik-Pay Payroll stores the employment and payment information in database files that use insecure permissions within the installation directory. A local attacker could access these files and possibly obtain sensitive information.
Consequences:
Obtain Information
Remedy:
Upgrade to the latest version of Kwik-Pay (4.2.22 or later), available from the Kwik-Pay Payroll Software Web site. See References.
References:
- Kwik-Pay Payroll Software Web site: Kwik-Pay Payroll.
- CVE-2006-1050: ** DISPUTED ** Kwik-Pay Payroll 4.2.20, and possibly other versions, stores the KwikPay.mdb database file with insecure permissions, which allows local users to obtain sensitive information such as employment and payment data. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: the vendor has disputed this vulnerability, stating that The kwikpay.mdb file supplied with kwikpay is a template for the database structure of user databases created by kwikpay and to store a demonstration payroll. It does not contain any sensitive user information. When a user payroll database is opened
- OSVDB ID: 23617: Kwik-Pay Payroll Payroll and Employment Information Disclosure
- SA19075: Kwik-Pay Payroll Exposure of Employment and Payment Information
Platforms Affected:
- Kwik-Pay Software Kwik-Pay Payroll 4.2.20
Reported:
Mar 03, 2006
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net