Tyler Technologies Court Case Management Plus use of Aquaforest TIFF Server tssp.aspx allows authentication bypass

Vulnerability

The vulnerability exists in Tyler Technologies Court Case Management Plus, which bundles a deprecated version of Aquaforest TIFF Server (likely 2.x). The tiffserver/tssp.aspx endpoint accepts FN and PN parameters that allow an unauthenticated remote attacker to enumerate and access sensitive files [1][2]. This weakness is mapped to CWE-22 [1]. All versions of TIFF Server contain this architectural design flaw [1].

Exploitation

An unauthenticated attacker with network access can send crafted HTTP requests to tssp.aspx using the PN= parameter to enumerate file names in a directory, and if the file is a document, it can also be viewed [2]. Additionally, the tiffserver.aspx endpoint combined with te003.aspx or te004.aspx allows enumeration of directories on the system and the entire network [2]. No authentication or user interaction is required [2].

Impact

Successful exploitation allows an unauthenticated attacker to view documents that should otherwise require authentication, detect directories the TIFF Server process has access to, count files within those directories, and detect the existence of files [1]. This can lead to exposure of sealed, confidential, unredacted, or otherwise restricted court case documents [2][3].

Mitigation

Aquaforest announced sunsetting TIFF Server by May 31, 2024, with no further product updates [4]. The vulnerable feature was removed on or around 2023-11-01 [1]. Organizations should upgrade to the PSPDFKit Web Standalone solution or replace the deprecated component entirely [4]. Tyler Technologies Court Case Management Plus users should apply any available vendor patches and restrict network access to the TIFF Server endpoints.