ePortfolio version 1.0 Java Multiple Input Validation Vulnerabilities

2007.03.09
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ePortfolio version 1.0 Java Multiple Input Validation Vulnerabilities scip AG Vulnerability ID 2893 (12/22/2006) http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2893 I. INTRODUCTION ePortfolio is a e-banking application by TKS Banking Solutions. More information is available on the vendors web site at the following URL: http://www.tksbankingsolutions.com/ II. DESCRIPTION Stefan Friedli found several web-based vulnerabilities that were identified in ePortfolio version 1.0 Java and may affect earlier versions as well. The application uses heavy amounts of javascript code for operation. As this is not generally a bad thing, it causes massive problems when it comes to data validation. As we recognized, the entire validation of input is realized by client-side javascript which can easily be bypassed using a Proxy BURPproxy or WebScarab to modify original requests sent (and validated) by the browser. We assume this vulnerability to exist in nearly every form offered by the application. Due to the limited functionality of the account used for testing, we're not able to definitely confirm or deny this fact. PoC Code is not being published. IV. IMPACT As there is a serious lack of server-side measured to protect the application from malicious input, an attacker may realize nearly every attack that relies on lacking input-validation which includes Cross Site Scripting and Cross-Site Request Forgery (Session Riding) . V. DETECTION Detection of web based attacks requires a specialized web proxy and/or intrusion detection system. Patterns for detection of basic attacks are available and easy to implement, though they may possibly fail on more sophisticated attacks. VI. SOLUTION Server-side input validation should be provied by the application vendor as soon as possible. VII. VENDOR RESPONSE The problems were recognized and will, according to the vendor, be adressed with the next release by the end of this week. Further, the vendor claims to be able to change the faulty behaviour remotely or by editing a non-specified file for existing customers. VIII. SOURCES scip AG - Security Consulting Information Process (german) http://www.scip.ch scip AG Vulnerability Database (german) http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2893 IX. DISCLOSURE TIMELINE 12/22/06 Identification of the vulnerabilities 02/05/07 Notification of the vendor 03/02/07 Vendor Response 03/02/07 Release of public advisory IX. CREDITS The vulnerabilities were discovered by Stefan Friedli. Stefan Friedli, scip AG, Zuerich, Switzerland stfr-at-scip.ch http://www.scip.ch A2. LEGAL NOTICES Copyright (c) 2007 scip AG, Switzerland. Permission is granted for the re-distribution of this alert. It may not be edited in any way without permission of scip AG. The information in the advisory is believed to be accurate at the time of publishing based on currently available information. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage from use of or reliance on this advisory. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 iQA/AwUBRewVwVJ79Mw3xa1EEQImugCeI1Jzz612APrcXkzzIGsuHPB/xz0An3oD j48MiupM2jtTyTp08Oukqkvi =ftmv -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top