what you don't know can hurt you

Epicor Password Disclosure / Cross Site Scripting

Epicor Password Disclosure / Cross Site Scripting
Posted Oct 1, 2014
Authored by Fara Denise Rustein

Epicor suffers from cross site scripting and password disclosure vulnerabilities.

tags | exploit, vulnerability, xss, info disclosure
advisories | CVE-2014-4311, CVE-2014-4312
MD5 | 0dba91aa0a03bab09020d4c1a614304e

Epicor Password Disclosure / Cross Site Scripting

Change Mirror Download
"Epicor Enterprise vulnerabilities"

- Affected vendor: Epicor Software Corporation
- Affected system: Epicor Enterprise - Version 7.4
- Vendor disclosure date: May 13th, 2014
- Public disclosure date: September 30th, 2014
- Status: Fixed

- Associated CVEs:

1) CVE-2014-4311
Password values not masked appropriately:
Even though the application appears to be masking the affected password values
in the database connection and email settings page, it is possible to access
their content by observing the HTML code.

Affected password values:
- “Database Connection”
- “E-mail Connection”

Associated CAPEC:
CAPEC-167: Lifting Sensitive Data from the Client -
https://capec.mitre.org/data/definitions/167.html

Associated CWE:
CWE-200: Information Exposure - http://cwe.mitre.org/data/definitions/200.html

2) CVE-2014-4312
Persistent and reflective cross-site scripting (XSS) attacks possible:
The identified website is vulnerable to persistent and reflective cross-site
scripting. Script injection is a weakness within an application, and is due to
insufficient validation of the input data (i.e. input data being sent from the
user/presentation layer) and output encoding allowing dynamic execution of
scripts on the application front end resulting in anomalous/abnormal behaviour
of the application.

Example of affected functionalities for persistent XSS:
- 1. While viewing Order details, and injecting a malicious payload on the
"Notes" section.
- 2. While modifying an “Order to consume” and injecting a malicious payload
on the "Description" section.
- 3. While observing the “Favorites” section and and injecting a malicious
payload on the “Favorites name” section.
Example of an injected payload: <script>alert("XSS")</script>

Example of affected URLs for reflective XSS:
- 1.
https://XXXXX/Procurement/EKPHTML/search_item_bt.asp?RecordsRequested=Yes&FiltPartNo=&FiltSupplier=-1&FiltKeyword=<script>alert("XSS")</script>
- 2.
https://XXXXX/Procurement/EKPHTML/EnterpriseManager/Budget/ImportBudget_fr.asp?Act=dtt"><script>alert("XSS")</script>
- 3. https://XXXXX
/Procurement/EKPHTML/EnterpriseManager/UserSearchDlg.asp?hdnPageName=UserSearch&hdnOpenerFormName=PrefApp&hdnApproverFieldName=temp1&hdnApproverIDFieldName=temp2&hdnUserID=200&hdnOpener=Test"><script>alert("XSS")</script>
- 4.
https://XXXXX/Procurement/EKPHTML/EnterpriseManager/UserSearchDlg.asp?hdnOpenerFormName=PrefApp&hdnApproverFieldName="><script>alert("XSS")</script>
- 5.
https://XXXXX/Procurement/EKPHTML/EnterpriseManager/Codes.asp?INTEGRATED=XSS">--><script>alert("XSS")</script>

Associated CAPEC:
CAPEC-32: Embedding Scripts in HTTP Query Strings -
https://capec.mitre.org/data/definitions/32.html

Associated CWE:
CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting') - http://cwe.mitre.org/data/definitions/79.html

- Available fix:
Epicor Enterprise Hotfix: FS74SP6_HotfixTL054181

- Credit:
These vulnerabilities were discovered by Fara Rustein.
If you have any questions, comments, concerns, updates or suggestions please
contact Fara Rustein (TW: @fararustein).


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    2 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    18 Files
  • 18
    Jun 18th
    16 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close