High-Tech Bridge's research team identified two vulnerabilities in the popular Bonita BPM Portal used by a number of banks and financial organisations. Bonita has more than 1,000 customers in 75+ countries and the arbitrary file disclosure and open redirect vulnerabilities found could have been exploited by remote non-authenticated attackers to compromise the vulnerable web application and the web server on which it is hosted.
Both vulnerabilities have now been patched by the vendor but their existence showcases the need for even the most secure businesses to consider the risks involved in online banking systems.
Ilia Kolochenko, CEO of High-Tech Bridge, comments: "For the majority of the affected customers this vulnerability will be critical, as it allows a remote non-authenticated hacker to compromise the vulnerable system. At the same time, this vulnerability is a very particular and interesting case: it affects only recent versions of the software, while very old versions, that have vulnerable functionality as well, are not affected. The vulnerability was quite probably introduced with some optimization of the existing code. This is a good example that security auditing shall be conducted on a regular base, not only with major releases."