lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201603280837.u2S8bHPi003339@sf01web1.securityfocus.com>
Date: Mon, 28 Mar 2016 08:37:17 GMT
From: harish.ramadoss@...pag.com
To: bugtraq@...urityfocus.com
Subject: Validation Bypass in C2Box application : CVE - 2015-4626

#####################################
Title: Validation Bypass in C2Box application allows user to input negative value
Author: Harish Ramadoss 
Vendor: boxautomation(B.A.S)
Product: C2Box
Version: All versions below 4.0.0(r19171)
Tested Version: Version 4.0.0(r19171)
Severity: Medium
CVE Reference: 2015-4626

# About the Product:
B.A.S C2Box provides global solutions enabling full control and visibility over cash positions and managing domestic or cross border payment processes.

# Description:
Performing validation in client side code, generally JavaScript, provides no protection for server-side code. An attacker can simply disable JavaScript use a security testing proxy such as BurpSuite to bypass the client side validation. Invalidated input might corrupt business logic.

# Vulnerability Class:
Unvalidated Input - https://www.owasp.org/index.php/Unvalidated_Input

# How to Reproduce: (POC):
While creating an overdraft using the overdraft editor form on C2Box application disable JavaScript to disable client side validation and the value can be intercepted using a proxy and negative value can be inserted corrupting the business logic. 

# Disclosure:
Discovered: June 10, 2015
Vendor Notification: June 10, 2015
Advisory Publication: Mar 28, 2016
Public Disclosure: Mar 28, 2016

# Solution:
Upgrade to the latest Build will fix this issue.
The new version number is 15.6.22
Release date: June 22, 2015
&#8195;
# credits:
Harish Ramadoss
Senior Security Analyst
Help AG Middle East

#References:
[1] help AG middle East http://www.helpag.com/.
[2] http://www.boxautomation.com/.
[3] https://www.owasp.org/index.php/Unvalidated_Input
[4] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ