Date: Thu, 29 May 2014 16:21:13 -0500
From: Walter Cuestas <wcuestas@...n-sec.com>
To: fulldisclosure@...lists.org
Subject: [FD]  Bizagi BPM Suite contains multiple vulnerabilities

Vulnerability Note VU#112412
Bizagi BPM Suite contains multiple vulnerabilities

Overview
Bizagi BPM Suite contains a reflected cross-site scripting vulnerability
and a SQL injection vulnerability.

Description
CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting') - CVE-2014-2947
According to Open-Sec consultant Mauricio Urizar, all versions of Bizagi
BPM Suite contain a reflected cross-site scripting (XSS) vulnerability. The
application fails to sanitize the txtUsername POST parameter to the
Login.aspxpage.

CWE-89: Improper Neutralization of Special Elements used in an SQL Command
('SQL Injection') - CVE-2014-2948
Furthermore, Urizar reports that all versions of Bizagi BPM Suite are
vulnerable to SQL injection attacks through theworkflowenginesoa.asmx web
service. By sending specially crafted SOAP requests to the web service, a
remote authenticated attacker can execute arbitrary SQL statements.

The CVSS score reflects CVE-2014-2948.

Impact
By exploiting the reflected XSS vulnerability, a remote unauthenticated
attacker may be able to execute arbitrary javascript in the context of the
victim's browser. By exploiting the SQL injection vulnerability, a remote
authenticated attacker may be able to read, modify, or delete data from the
database.

Solution
Bizagi has stated that the cross-site scripting vulnerability
(CVE-2014-2947) was fixed in version 10.3. To remediate the SQL injection
vulnerability, a hotfix is available for 64-bit installations of the 10.3
official release. A separate hotfix is available for 64-bit installations
of the 10.4 official and latest release. Bizagi has provided the following
patching instructions:

1. Ensure that you have temporarily stopped your project service (at the
IIS), and that your project is using a 64-bit installation.
2. Replace the "BizAgi.WFES.dll" file found inside the zipped folder of the
fix, so that you paste this assembly into the bin folder of your Bizagi
Work portal.
(By default, the bin is located as
"C:\BizAgi\Enterprise\Projects\[your_Project]\WebApplication\bin\"). This
will replace an older file having the same name.
3. Proceed to re-start your project service (at the IIS).

In addition, Bizagi advises users to consult the "Security setup
recommendations" documentation in the meantime. Users who are unable to
patch should consider the following workaround:
Restrict Access

As a general good security practice, only allow connections from trusted
hosts and networks.

Vendor Information (Learn More)

Vendor Status Date Notified Date Updated
Bizagi Affected 11 Apr 2014 22 May 2014

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
Temporal 7.3 E:POC/RL:W/RC:C
Environmental 1.9 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References
http://www.bizagi.com/products/bizagi-bpm-suite/overview-bpm-suite
http://help.bizagi.com/bpmsuite/en/index.html?setup_security.htm

Credit
Thanks to Mauricio Urizar for reporting this vulnerability.
This document was written by Todd Lewellen.

Other Information
CVE IDs: CVE-2014-2947 CVE-2014-2948
Date Public: 22 May 2014
Date First Published: 22 May 2014
Date Last Updated: 22 May 2014
Document Revision: 14
---
Walter Cuestas Agramonte

*They run automated tools, We have ETHICAL HACKERS !*
*Offensive Security Certified Professional / **C|EH **C)PTE **C)PTC*
 Gerente General
 Celular: (+51) 997926168

Ethical Hacking/InfoSec
http://www.open-sec.com
http://ehopen-sec.blogspot.com/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists