what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Mida Solutions eFramework 2.9.0 XSS / Code Execution / SQL Injection

Mida Solutions eFramework 2.9.0 XSS / Code Execution / SQL Injection
Posted Jul 21, 2020
Authored by Andrea Baesso

Mida Solutions eFramework versions 2.9.0 and below suffer from command execution, cross site scripting, denial of service, remote SQL injection, and path traversal vulnerabilities.

tags | advisory, remote, denial of service, vulnerability, xss, sql injection, file inclusion
SHA-256 | db1197488f5f0da6143f4fb525ee7b70599595b5ce4d6adf117f66e0df49f1c3

Mida Solutions eFramework 2.9.0 XSS / Code Execution / SQL Injection

Change Mirror Download
=============================================
Title: Mida Solutions eFramework Multiple Vulnerabilities
Date: 19/07/2020
Author: Andrea Baesso
Reference: https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html
Vendor Homepage: https://www.midasolutions.com/
Software Link: ova-efw.midasolutions.com
Software: Mida eFramework
Versions: <=2.9.0
Tested on: 2.8.9, 2.9.0
CVE : Mitre is aware, still waiting
=============================================


Vendor description:
-------------------
"Mida Solutions is a high skilled Italian company focusing on Unified
Communication. Since 2004, it offers unique expertise and a complete suite
of advanced services and voice applications with the mission to provide
value added innovative technologies for communication."
Source: https://www.midasolutions.com/it/


Business recommendation:
------------------------
The vendor did not respond to my communication attempts, hence no patch is
available.
A third party patch may be released either if the company will not fix the
product in the next months or at request.
Do not expose the software on WAN. Use ACL to allow or deny access to the
software.



Vulnerability overview/description:
-----------------------------------
1. OS Command Injection Remote Code Execution Vulnerability (RCE) and
Denial of Service (Dos)
(Unauthenticated)
There is an OS Command Injection in eFramework <= 2.9.0 that allows an
attacker a Remote Code Execution (RCE) with administrative (root)
privileges. No authentication is required. The injection point resides on
an *undisclosed* PHP page which can be targeted with either GET or POST
malicious payload.

2,3,4. OS Command Injection RCE
(Unauthenticated <= 2.8.9, Authenticated 2.9.0)
There is an OS Command Injection in eFramework <= 2.8.9 that allows an
attacker to trigger a Remote Code Execution (RCE), with administrative
(root) privileges, through OS Command Injection. No authentication is
required. The injection point resides on an *undisclosed* PHP page.

5. SQL Injection
(Unauthenticated)
There is an SQL Injection in eFramework <= 2.9.0 that leverages to
Information Disclosure. No authentication is required. The injection point
resides in one of the authentication parameters.

6. Path Traversal
(Unauthenticated, with root level access <= 2.8.9, with user level access
2.9.0)
eFramework <= 2.9.0 in its component *undisclosed* has a ../ directory
traversal vulnerability. Successful exploitation could allow an attacker to
traverse the file system to access files or directories that are outside of
the restricted directory on the remote server with administrative
privileges.

7. Administrative Back-door access
(Unauthenticated)
Mida Solutions eFramework <= 2.9.0 in its component *undisclosed* has a
back-door which permits to change the administrative password and access
restricted functionalities. Successful exploitation could allow an attacker
to access the web application with an administrative account and leverage
other vulnerabilities to obtain Code Execution.

8. Reflected Cross-Site Scripting (XSS)
(Unauthenticated)
A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Mida
Solutions eFramework <= 2.9.0 component *undisclosed*.

9. Stored XSS
(Authenticated)
Multiple Stored Cross Site Scripting (XSS) were discovered in Mida
Solutions eFramework <= 2.9.0 component *undisclosed*.


Proof of concept:
-----------------
PoC not publicly released.


Vulnerable / tested versions:
-----------------------------
Mida Solutions eFramework version 2.8.9 has been tested, which was the
latest version
available at the time of the test. Previous versions may also be affected.

In the first quarter of the year the vendor released a newer version 2.9.0.
However, the latest
version is still vulnerable to the above vulnerabilities.

Vendor response:
------------------------
No response or statement from the vendor.

Vendor contact time-line:
------------------------
18/02/2020 e-mail through VSX
25/02/2020 e-mail to info@midasolutions.com
27/02/2020 e-mail to support@midasolutions.com
28/02/2020 e-mail to info@midasolutions.com
02/03/2020 chat-bot web-site
02/03/2020 e-mail to info@midasolutions.com
26/03/2020 phone-call to company hq (049**652)
(we are working on it and we will contact you)
27/04/2020 e-mail to info@, support@, sales@, mauro.franchin@
10/05/2020 e-mail to info@, support@ (with PoC exploit)
09/06/2020 report to kb.cert.org
01/07/2020 kb.cert.org response received (suggesting public disclosure in
around 2 weeks)
Public disclosure date set(15/07/2020) and draft link reported to
info@midasolutions.com
08/07/2020 some companies, which are exposing this software on WAN, were
notified about the imminent disclosure.
15/07/2020 partial public disclosure


Solution:
---------
The vendor did not respond to my communication attempts, hence no patch is
available.
A third party patch may be released either if the company will not fix the
product in the next months or at request.


Workaround:
-----------
Do not expose the software on WAN. Use ACL to allow or deny access to the
software.


Ref. URL:
-------------
https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close