0-Day: Front Accounting 2.3.13 Predictable File Name and Public Path

Front Accounting (FA) had document storage capabilities. Three issues arise:

1) FA stores documents under the server root
2) FA uses a non-random way to generate the report names
3) these reports do not have any authentication, able to be retrieved by anyone

The known file locations are below where X is company number starting at 0 (zero).

http://[server]/company/x/pdf_files/[non-random-string].pdf
http://[server]/company/x/attachments/[non-random-string]

The software uses the uniqid PHP routine which is known for being non-random:
http://php.net/manual/en/function.uniqid.php

Because it is difficult to show, please see the screen print below regarding the non-random name.

I emailed the software company through their website but did not receive a reply. This was also disclosed to securityfocus.com but I believe it was not publicly reported since the email contained the image below as an attachment (or the original email was HTML and not TXT).

frontaccounting-non-random