Account Information Disclosure Vulnerability Note
Security researcher Andrea Micalizzi aka rgod has disclosed information on a guest account information disclosure vulnerability in IntegraXor via ZDI (Zero Day Initiative), who in turn, coordinated the information with NCCIC/ICS-CERT.
IGX developers have patched the reported vulnerability and the fix has been released in earlier release candidate build 4393. And now included in latest Official Release build 4410 which can be obained at this link: http://www.integraxor.com/download/igsetup.msi?4.1.4410. All previous release before build 4393 will have this vulnerability impact. Please download and use this build or any later release to fix this vulnerability.
For compatibility reason, user must manually turn on Enhanced User Security (under security tree) in order to enable Account Information encryption to mitigate this vulnerability. The account information encryption will be enforced or set as default setting in the next major release.
One of the prerequisite of this vulnerability is to have the full path of the project URL. So user shall avoid to share or publish the deployed project URL. And also avoid to use the system default port number.
Summary of Event
- 19-Dec-2013: ICS CERT Contacted IntegraXor support team.
- 19-Dec-2013: Technical report for the vulnerability is received.
- 21-Feb-2014: Security fixed is issued as Release Candidate in build 4393 for general download.
- 19-Mar-2014: Security fixed is issued as official release in build 4410 for general download.
- 01-Apr-2014: Public announcement is made by IntegraXor support team.