Re: SEC Consult SA-20180514-0 :: Arbitrary File Upload & Cross-site scripting in MyBiz MyProcureNet

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The following CVE numbers have been assigned now:
XSS issue: CVE-2018-11090
Arbitrary File Upload: CVE-2018-11091


On 2018-05-14 13:25, SEC Consult Vulnerability Lab wrote:
> SEC Consult Vulnerability Lab Security Advisory < 20180514-0 >
> =======================================================================
>               title: Arbitrary File Upload & Cross-site scripting
>             product: MyBiz MyProcureNet
>  vulnerable version: 5.0.0
>       fixed version: unknown
>          CVE number: -
>              impact: Critical
>            homepage: http://www.mybiz.net/
>               found: 2018-01-29
>                  by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur)
>                      Fikri Fadzil (Office Singapore)
>                      Wan Ikram (Office Kuala Lumpur)
>                      Jasveer Singh (Office Kuala Lumpur)
>                      SEC Consult Vulnerability Lab
> 
>                      An integrated part of SEC Consult
>                      Europe | Asia | North America
> 
>                      https://www.sec-consult.com
> 
> =======================================================================
> 
> Vendor description:
> -------------------
> "MyBiz is a company fixated on developing technology which transforms the way
> business is done online. At the intersection of what one business needs from
> another is the potential for value to be created differently. This
> intersection for the exchange of value requires technology but in
> fundamentally very different ways from traditional enterprise systems. MyBiz
> believes that the chemistry of business is the business relationships between
> enterprises. The strength of the business relationship drives the success and
> future of the business. MyBiz believes that these business relationships need
> to be captured and orchestrated. MyBiz developed our proprietary Business
> Relationship Network engine, a platform to capture business relationships as
> data to drive new business services which create value efficiently."
> 
> Source: http://www.mybiz.net/copy-of-our-story
> 
> 
> Business recommendation:
> ------------------------
> The vendor did not reply to our inquiries since February 2018 hence the issues
> might still exist in current versions.
> 
> SEC Consult recommends not use this product until a thorough security review
> has been performed by security professionals and all identified issues have
> been resolved. It is assumed that MyBiz products are affected by further
> critical security issues.
> 
> 
> Vulnerability overview/description:
> -----------------------------------
> The identified vulnerabilities can be exploited after authentication but
> the registration for the application is usually open for anyone.
> 
> 1. Arbitrary File Upload
> A malicious file can be uploaded to the webserver by an attacker. It is
> possible for an attacker to upload a script to issue operating system
> commands.
> 
> This vulnerability occurs because an attacker is able to adjust the
> "HiddenFieldControlCustomWhiteListedExtensions" parameter and add arbitrary
> extensions to the whitelist during the upload.
> 
> For instance, if the extension .asp is added to the
> "HiddenFieldControlCustomWhiteListedExtensions" parameter, the server
> accepts "secctest.asp" as legitimate file. Hence malicious files can be
> uploaded in order to execute arbitrary commands to take over the server.
> 
> 
> 2. Reflected Cross-site scripting
> This vulnerability within "ProxyPage.aspx" allows an attacker to inject
> malicious client side scripting which will be executed in the browser of
> users if they visit the manipulated site.
> 
> 
> Proof of concept:
> -----------------
> The proof of concept has been removed as no patch is available.
> 
> 
> Vulnerable / tested versions:
> -----------------------------
> MyBiz MyProcureNet version 5.0.0 has been tested and found to be vulnerable. This
> was the latest version available at the time of the test.
> 
> 
> Vendor contact timeline:
> ------------------------
> 2018-02-22: Contacting vendor through info@xxxxxxxxx (no response)
> 2018-02-27: Request update from vendor (no response)
> 2018-03-13: Trying to contact via web form http://www.mybiz.net/contact-us
>             (no response)
> 2018-05-14: Public release of security advisory
> 
> 
> Solution:
> ---------
> None
> 
> 
> Workaround:
> -----------
> None
> 
> 
> Advisory URL:
> -------------
> https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> SEC Consult Vulnerability Lab
> 
> SEC Consult
> Europe | Asia | North America
> 
> About SEC Consult Vulnerability Lab
> The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
> ensures the continued knowledge gain of SEC Consult in the field of network
> and application security to stay ahead of the attacker. The SEC Consult
> Vulnerability Lab supports high-quality penetration testing and the evaluation
> of new offensive and defensive technologies for our customers. Hence our
> customers obtain the most current information about vulnerabilities and valid
> recommendation about the risk profile of new technologies.
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Interested to work with the experts of SEC Consult?
> Send us your application https://www.sec-consult.com/en/career/index.html
> 
> Interested in improving your cyber security with the experts of SEC Consult?
> Contact our local offices https://www.sec-consult.com/en/contact/index.html
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Mail: research at sec-consult dot com
> Web: https://www.sec-consult.com
> Blog: http://blog.sec-consult.com
> Twitter: https://twitter.com/sec_consult
> 
> EOF Ahmad Ramadhan / @2018
> 


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux