ePortfolio version 1.0 Java Multiple Input Validation Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, vuln@xxxxxxxxxxx
Subject: ePortfolio version 1.0 Java Multiple Input Validation Vulnerabilities
From: Stefan Friedli <stfr@xxxxxxx>
Date: Mon, 05 Mar 2007 14:06:03 +0100
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:received:x-pgp-universal:message-id:date:from:reply-to:user-agent:mime-version:to:subject:x-pgp-encoding-version:x-content-pgp-universal-saved-content-transfer-encoding:x-content-pgp-universal-saved-content-type:content-type:sender; b=CBrfyftxu8TX+bHI/BZqgK0sp3Fy4pCsX518cK+en+fxjbMZgpWTzT5xLKOiM2cTB8YSeDFKHXIfZlBkj5X2o91SrloJz5sbSa2c2+EH2LmmuBp1KGAXoRnmSpQW1PxYSeiT43mtd4OdeM1XtOiWgbUKkRvNmBq3v3S3QX8H2eE=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:x-pgp-universal:message-id:date:from:reply-to:user-agent:mime-version:to:subject:x-pgp-encoding-version:x-content-pgp-universal-saved-content-transfer-encoding:x-content-pgp-universal-saved-content-type:content-type:sender; b=ASNpmk2w4hbC7Irt8/YSEG/TySy0hpZi0g74ooYtHz87j80CmOwEqu16aXR+R+XIdxZVJDgzHrz9OWZ7fyclUgJorHTHOAhqJOTr+eO6Dt80wbKlDsgICF/fbE1WkF0QYMfgmQrErJlDLP9AB2BbeEWPQhmnjJQtFss+gFtPeH4=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: stfr@xxxxxxx
Sender: Stefan Friedli <stefan.friedli@xxxxxxxxx>
User-agent: Thunderbird 1.5.0.10 (Windows/20070221)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ePortfolio version 1.0 Java Multiple Input Validation Vulnerabilities

scip AG Vulnerability ID 2893 (12/22/2006)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2893

I. INTRODUCTION

ePortfolio is a e-banking application by TKS Banking Solutions.

More information is available on the vendors web site at the following URL:

     http://www.tksbankingsolutions.com/

II. DESCRIPTION

Stefan Friedli found several web-based vulnerabilities that were 
identified in ePortfolio version 1.0 Java and may affect earlier 
versions as well.

The application uses heavy amounts of javascript code for operation. As 
this is not generally a bad thing, it causes massive problems when it 
comes to data validation. As we recognized, the entire validation of 
input is realized by client-side javascript which can easily be bypassed 
using a Proxy BURPproxy or WebScarab to modify original requests sent 
(and validated) by the browser.

We assume this vulnerability to exist in nearly every form offered by 
the application. Due to the limited functionality of the account used 
for testing, we're not able to definitely confirm or deny this fact.

PoC Code is not being published.


IV. IMPACT

As there is a serious lack of server-side measured to protect the 
application from malicious input, an attacker may realize nearly every 
attack that relies on lacking input-validation which includes Cross Site 
Scripting and Cross-Site Request Forgery (Session Riding) .

V. DETECTION

Detection of web based attacks requires a specialized web proxy and/or 
intrusion detection system. Patterns for detection of basic attacks are 
available and easy to implement, though they may possibly fail on more 
sophisticated attacks.

VI. SOLUTION

Server-side input validation should be provied by the application vendor 
as soon as possible.


VII. VENDOR RESPONSE

The problems were recognized and will, according to the vendor, be 
adressed with the next release by the end of this week. Further, the 
vendor claims to be able to change the faulty behaviour remotely or by 
editing a non-specified file for existing customers.

VIII. SOURCES

scip AG - Security Consulting Information Process (german)
http://www.scip.ch

scip AG Vulnerability Database (german)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2893

IX. DISCLOSURE TIMELINE

12/22/06 Identification of the vulnerabilities
02/05/07 Notification of the vendor
03/02/07 Vendor Response
03/02/07 Release of public advisory

IX. CREDITS

The vulnerabilities were discovered by Stefan Friedli.

     Stefan Friedli, scip AG, Zuerich, Switzerland
     stfr-at-scip.ch
     http://www.scip.ch


A2. LEGAL NOTICES

Copyright (c) 2007 scip AG, Switzerland.

Permission is granted for the re-distribution of this alert. It may not 
be edited in any way without permission of scip AG.

The information in the advisory is believed to be accurate at the time 
of publishing based on currently available information. There are no 
warranties with regard to this information. Neither the author nor the 
publisher accepts any liability for any direct, indirect or 
consequential loss or damage from use of or reliance on this advisory.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6

iQA/AwUBRewVwVJ79Mw3xa1EEQImugCeI1Jzz612APrcXkzzIGsuHPB/xz0An3oD
j48MiupM2jtTyTp08Oukqkvi
=ftmv
-----END PGP SIGNATURE-----

Prev by Date: Show Password Admin In Script Uploadscript
Next by Date: Konqueror DoS Via JavaScript Read Of FTP Iframe
Previous by thread: Show Password Admin In Script Uploadscript
Next by thread: Konqueror DoS Via JavaScript Read Of FTP Iframe
Index(es):
- Date
- Thread