Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Critical security hole discovered in Spiceworks network admin application

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

June 23, 2015

Click here to order the best deal on a HP enterprise dedicated server and at a great price.

A very critical security hole has been discovered in the Spiceworks network administration application.

The security issue, uncovered by Spiceworks' Darren Smith, allows anyone with a Facebook or LinkedIn account to log in as an administrator with full privileges.

Spiceworks has responded by temporarily disabling social sign-in until the security bug can be addressed.

The bug was discovered in a clean installation of version 7.4 of the Spiceworks app. That version of the application enables social sign-in by default.

Social sign-in is the ability to log into websites and other applications using social media accounts, and in the case of Spiceworks, both Facebook and LinkedIn are equally supported.

The intent is to make the Spiceworks application, and more critically, the Spiceworks community forums more accessible to individuals not wanting to create a Spiceworks account.

Spiceworks' initial response to the bug was less than stellar, although it has since been edited. The issue was downplayed as Spiceworks believed it would not affect many users.

Spiceworks users were pretty quick to point out that this was an inappropriate response-– the severity of the flaw is in 'WTF' class, even if it only affects a small number of installs and Spiceworks changed its tune pretty quickly.

Social sign-in has been a feature of the Spiceworks community forums for some time, but has only recently seen inclusion in the administration application itself.

The administration application doesn't update itself automatically by default, so older installs (from before social sign-in was switched on) should be safe from this particular issue, though like any application, flaws are discovered in Spiceworks regularly, so running too old a version could leave you really vulnerable to other attacks.

If you attempt to upgrade your existing Spiceworks installation you may encounter a separate bug that could leave you unsure of your application status.

Overall, when upgrades are triggered on older installations, as we have just done with one of ours, a screen will appear saying "Version 7.3 of Spiceworks is being downloaded".

It will, in fact, update you to the latest version: 7.4.0065, however. We have confirmed that both new installs of 7.4.0065 and other installs which upgrade to it are currently behaving as though social sign-in has been disabled.

For now, it is unknown if Spiceworks will re-enable social sign-in as a default once it has fixed the security bug and issued a new release.

For those users who have been keeping their Spiceworks up to date and fear that someone may have used a social networking account to create an administrative log in on their Spiceworks install, go to Settings > User Accounts in Spiceworks and check the list of admin users to make sure all is as it should be.

Source: Spiceworks.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer