what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

IBM Sterling B2B Integrator Cross Site Scripting

IBM Sterling B2B Integrator Cross Site Scripting
Posted Nov 5, 2021
Authored by T. Silpavarangkura, Sutthiwat Panithansuwan | Site sec-consult.com

IBM Sterling B2B Integrator suffers from a cross site scripting vulnerability. Versions affected include 5.2.0.0 through 5.2.6.5_3, 6.0.0.0 through 6.0.3.4, and 6.1.0.0 through 6.1.0.2.

tags | exploit, xss
advisories | CVE-2021-20562
SHA-256 | b6d82ee2ddf3add475ca8f0e7254bd649739bfd47a776b2327a65546609217f5

IBM Sterling B2B Integrator Cross Site Scripting

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20211104-0 >
=======================================================================
title: Reflected cross-site scripting vulnerability
product: IBM Sterling B2B Integrator
vulnerable version: 5.2.0.0 - 5.2.6.5_3
6.0.0.0 - 6.0.3.4
6.1.0.0 - 6.1.0.2
fixed version: 5.2.6.5_4 or higher
6.0.3.5 or higher
6.1.0.3 or higher
CVE number: CVE-2021-20562
impact: medium
homepage: https://www.ibm.com/products/b2b-integrator
found: 2021-02-03
by: Sutthiwat Panithansuwan (Office Bangkok)
Thongchai Silpavarangkura
SEC Consult Vulnerability Lab

An integrated part of SEC Consult, an Atos company
Europe | Asia | North America

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"IBM® Sterling B2B Integrator helps companies integrate all their complex B2B
and EDI processes across partner communities in a single gateway. It provides a
flexible platform, available on premises or through hybrid cloud, that supports
data transformation and most communication protocols; secures your B2B network
and data; provides certified container support; and achieves high availability
for operations with IBM Sterling Global Mailbox. B2B Integrator enables you to
reduce costs by consolidating on a single platform and automating B2B processes
across enterprises, while providing governance, adherence to standards and
visibility for those processes."

Source: https://www.ibm.com/products/b2b-integrator


Business recommendation:
------------------------
SEC Consult recommends updating to the latest version of IBM Sterling B2B
Integrator.

An in-depth security analysis performed by security professionals is highly
advised, as the software may be affected from further security issues.


Vulnerability overview/description:
-----------------------------------
1) Reflected Cross-Site Scripting (CVE-2021-20562)
A reflected cross-site scripting vulnerability has been identified across
multiple functions in the mailbox component of IBM Sterling B2B Integrator,
which can be exploited under the specific condition of a victim's session.


Proof of concept:
-----------------
1) Reflected Cross-Site Scripting (CVE-2021-20562)
The "securetoken" parameter of the following scripts is affected by the
reflected cross-site scripting vulnerability:
/mailbox/jsp/MBIList.jsp
/mailbox/jsp/MBISearch.jsp
/mailbox/jsp/MBISend.jsp

The exploitation is successful if the "SCI_DLSSO" cookie is valid, and the
"JSESSIONID" cookie of the mailbox is invalid or does not exist. One of the
possible scenarios to meet this condition is proceeding to the following steps:

1. Log in to the dashboard via https://<host>/dashboard/Login to obtain an
"SCI_DLSSO" cookie.

2. Visit the mailbox web page via https://<host>/mailbox, which gets logged
in automatically since the web browser sends the "SCI_DLSSO" cookie from the
step 1 to obtain a "JSESSIONID" cookie of the mailbox (Path=/mailbox/).

3. Log out of the dashboard via https://<host>/dashboard/Logout
The server appears to invalidate both "SCI_DLSSO" cookie in the step 1 and
mailbox's "JSESSIONID" cookie in the step 2.

4. Log in to the dashboard via https://<host>/dashboard/Login again to obtain
a new "SCI_DLSSO" cookie.

5. Visit one of the following attacker-prepared URLs, where the web browser
uses the mailbox's "JSESSIONID" cookie in the step 2 and the "SCI_DLSSO"
cookie in the step 4, as follows:

https://<host>/mailbox/jsp/MBIList.jsp?securetoken=%3C/script%3E%3Cscript%3Ealert(location.origin);%3C/script%3E%3Cscript%3E
https://<host>/mailbox/jsp/MBISearch.jsp?securetoken=%27%22)%3C/a%3E%3Csvg/onload%3dalert(location.origin)%3E
https://<host>/mailbox/jsp/MBISend.jsp?securetoken=%27)%22%3E%3Csvg/onload=alert(location.origin)%3E


Vulnerable / tested versions:
-----------------------------
The version 6.1.0.0 has been tested. According to the vendor, the following product
versions are affected:
* 5.2.0.0 - 5.2.6.5_3
* 6.0.0.0 - 6.0.3.4
* 6.1.0.0 - 6.1.0.2


Vendor contact timeline:
------------------------
2021-02-06: Contacting vendor through HackerOne
2021-02-07: HackerOne: Report is currently under investigation
2021-02-23: Vendor: still investigating the vulnerability
2021-02-24: Status change to "triaged", confirmed that it is a valid vulnerability
Kindly asking vendor to keep us informed
2021-03-29: Asking for a status update
2021-03-29: Vendor will contact us when the public notice / patch is available
2021-04-16: Vendor is still working on the issue.
2021-06-23: Asking for a status update
2021-06-29: Vendor is still working on the issue.
2021-07-27: Vendor: The issue is fixed in previous releases but not in 6.0 yet,
which is scheduled for a later date.
2021-10-15: Vendor: all patches are publicly available
2021-11-04: Coordinated release of the security advisory


Solution:
---------
The vendor provides patches for the affected product versions:
* 5.2.6.5_4 or higher
* 6.0.3.5 or higher
* 6.1.0.3 or higher

Further information can be found here:
https://www.ibm.com/support/pages/node/6475301


Workaround:
-----------
None


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos company. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Thongchai Silpavarangkura, Sutthiwat Panithansuwan / @2021


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close