full-disclosure - [FD] Thomson Reuters FATCA

Open Source and information security mailing list archives

Message-ID: <CAM8W6xxNmW0FfhNzAPERmLJ7eEEM4fjT=580Jix+TaRhUc=byA@mail.gmail.com>
Date: Mon, 10 Aug 2015 21:56:20 +0200
From: Etnies <kuba25101990@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Thomson Reuters FATCA - Local File Inclusion

Title: Thomson Reuters FATCA - Local File Inclusion
Author: Jakub Pałaczyński
Date: 10. June 2015
CVE: CVE-2015-5952

Affected software:
==================

All versions of Thomson Reuters FATCA below v5.2

Exploit was tested on:
======================

Thomson Reuters FATCA v5.1.0.30

Description:
============

The Thomson Reuters for FATCA solution enables organizations to comply with
the key requirements of both CRS and FATCA.[1]

Vulnerabilities:
****************

Local File Inclusion:
============================================

Application's parameter "item" is vulnerable to Local File Inclusion, which
makes it possible to include application/system files.
Using this vulnerability FATCA users can for example include uploaded PHP
files (upload directory can be retrieved from the application's error
message) and execute system commands.

References:
===========

[1] Overview:
https://risk.thomsonreuters.com/products/thomson-reuters-fatca

Contact:
========

Jakub[dot]Palaczynski[at]ingservicespolska[dot]pl

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives