Corda Cross Site Scripting / Path Disclosure

2013-07-13T00:00:00
ID PACKETSTORM:122387
Type packetstorm
Reporter Adam Willard
Modified 2013-07-13T00:00:00

Description

                                        
                                            `Corda Path Disclosure and XSS  
============================================================  
FOREGROUND SECURITY, SECURITY ADVISORY 2013-002  
- Original release date: July 12, 2013  
- Discovered by: Adam Willard (Software Security Analyst at Foreground Security)  
- Contact: (awillard (at) foregroundsecurity (dot) com)  
- Severity: 4.3/10 (Base CVSS Score)  
============================================================  
  
I. VULNERABILITY  
-------------------------  
Corda suffers Path Disclosure in Highwire.ashx and XSS vulnerabilities  
  
II. BACKGROUND  
-------------------------  
Corda Highwire allows you to generate pdf documents  
Corda Server .NET Redirector version: 7.3.11.6715 allows the Web server to handle client requests for visualizations.  
  
III. DESCRIPTION  
-------------------------  
Corda Path Disclosure in Highwire.ashx  
Corda Redirector XSS when a file isn't found  
  
  
IV. PROOF OF CONCEPT  
-------------------------  
Path Disclosure  
Execution of a url can expose the file system directory  
/highwire.ashx?url=../../  
  
XSS  
Execution of a similar URL allows XSS to be run as long as the Domain of the File parameter matches the domains allowed  
http://<URL>/Corda/redirector.corda/?@_FILEhttp://<URL>/?<script>alert('Text')</script><iframe src=http://www.exploit-db.com></iframe>@_TEXTDESCRIPTIONEN  
  
  
V. BUSINESS IMPACT  
-------------------------  
Discover path structure of a drive and attempt directory/file traversal  
An attacker could perform session hijacking or phishing attacks.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
Systems implementing Corda/Domo products  
  
VII. SOLUTION  
-------------------------  
Software has been marked EOL by Domo; Highwire products no longer supported.  
  
VIII. REFERENCES  
-------------------------  
http://www.domo.com  
http://www.foregroundsecurity.com  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered by Adam Willard (awillard (at) foregroundsecurity (dot) com)  
  
X. REVISION HISTORY  
-------------------------  
- July 12, 2013: Initial release.  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
July 9, 2013: Issue identified within a deployed application by Adam Willard.  
July 9, 2013: Vulnerability discovered by Adam Willard.  
July 12, 2013: Contacted Vendor  
July 12, 2013: Vendor commented that the software is EOL with no support.  
July 12, 2013: Security advisory released.  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.  
`