A security flaw in Sage's Pastel accounting products could expose user data, but the real-world risk may be relatively low.
IT consultant Johan Pienaar went public last week with details of a security flaw in the way data is managed by the Pervasive database underlying several Pastel products. The database is unsecured; meaning anyone with a copy of the files could examine the underlying data.
And with the database being a simple file system structure, multi-user environments require that any users have effectively unfettered access to the database. Other possible leaks include misplaced backup devices, and file-sharing among consultants. "Data is routinely passed on flash drives to Pastel partners and auditors, which means unless care was taken, your data is vulnerable," Pienaar said.
"Any user you ever loaded on the system will have full access to your books, regardless of limits on access you set for him or her. If any technician or third-party ever worked on your machine they could have copied your data and will now be able to access all your company data."
The Pervasive Control Centre can be used to load a third-party's data, and the database password can be reset using simple admin techniques described in support pages online, Pienaar said.
Pienaar also found evidence of that data sharing in a public FTP site operated by Sage, with the financial data of "20 to 30 companies" available for download. The FTP site has since been closed.
Sage Pastel MD Steven Cohen acknowledged the vulnerability, but said the risk was small, limited to specific versions of the software, and said the company was taking steps to reduce the risk.
Consequence
"There are two separate issues: the FTP site and the software in general," Cohen said. "The FTP site was a public fileshare used to distribute patches to customers. It should not have been used by customers to exchange private data. The site was shut down, and current versions of the software use HTTP for updates.
"The database vulnerability affects the Pervasive database used by one of our product lines, not the SQL database used by others, and it is unfortunately a consequence of simple file-based databases like we and our competitors use."
The Sage Pastel Xpress product is affected by the flaw. Sage Pastel Evolution, and the MyBusiness range, which use variants of Microsoft SQL Server, are not affected.
About 160 000 customers use the Pervasive version, Cohen said. "Most are single users, and the risk to them of someone stealing files off their PC is very small. It's been like this for 10 years, and I have never heard of a breach."
Sage is also on the verge of releasing a version which hosts data in Microsoft's Azure framework, which will prevent files from exposure, Cohen said. Pienaar plans to offer a similar service under the banner "Pastel Secured".
Although the risk may be low, it is now common knowledge and users of Pervasive db-driven Pastel versions who exchange data with third-parties such as consultants or offsite backup services, should consider encrypting that information to avoid it falling into the wrong hands.
Share