#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:  OfficeSpace [1]
# Vendor:   OfficeSpace Software Inc.
# CSNC ID:  CSNC-2018-020
# Subject:  Credentials in Source Code
# Risk:     Medium
# Effect:   Remotely exploitable
# Author:   Stephan Sekula <stephan.sekula@compass-security.com>
# Date:     18.04.2018
#
#############################################################

Introduction:
-------------
The smarter, easier way to manage your space. [1]

Compass Security discovered a security flaw in OfficeSpace, which
allows authenticated users to elevate their privileges.


Affected:
---------
Vulnerable:
 * Version 3.71.3


Technical Description
---------------------
Users, with role Report Consumer can access /reports/index.jsp,
which contains the application's API token:
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
    <!--
    Smart developers always View Source.
    This application was built using Adobe Flex, an open source framework
    for building rich Internet applications that get delivered via the
    Flash Player or to desktops via Adobe AIR.
    Learn more about Flex at http://flex.org
    // -->
    <head>
      <title>OfficeSpace Software -- Reports </title>
        [CUT BY COMPASS]
        <script type="text/javascript">
            // For version detection, set to min. required Flash Player
			version, or 0 (or 0.0.0), for no version detection.
            var swfVersionStr = "11.1.0";
            // To use express install, set to playerProductInstall.swf,
			otherwise the empty string.
            var xiSwfUrlStr = "playerProductInstall.swf";
            var flashvars = {
              apiToken: "[CUT]"
            };
            [CUT BY COMPASS]
        </script>
    </head>
    <body>
        [CUT BY COMPASS]
   </body>
</html>


Workaround / Fix:
-----------------
This issue can be fixed by not storing the API token in the application's
source code, at least not on pages which are accessible to users who should
not have access to the API token.


Timeline:
---------
2018-07-31:     Public disclosure date
2018-05-02:     Initial vendor response
2018-04-23:     Initial vendor notification
2018-04-18:     Discovery by Stephan Sekula


References:
-----------
[1] https://www.officespacesoftware.com