C2Box 4.0.0(r19171) Validation Bypass

2016.03.28
Risk: Low
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

##################################### Title: Validation Bypass in C2Box application allows user to input negative value Author: Harish Ramadoss Vendor: boxautomation(B.A.S) Product: C2Box Version: All versions below 4.0.0(r19171) Tested Version: Version 4.0.0(r19171) Severity: Medium CVE Reference: 2015-4626 # About the Product: B.A.S C2Box provides global solutions enabling full control and visibility over cash positions and managing domestic or cross border payment processes. # Description: Performing validation in client side code, generally JavaScript, provides no protection for server-side code. An attacker can simply disable JavaScript use a security testing proxy such as BurpSuite to bypass the client side validation. Invalidated input might corrupt business logic. # Vulnerability Class: Unvalidated Input - https://www.owasp.org/index.php/Unvalidated_Input # How to Reproduce: (POC): While creating an overdraft using the overdraft editor form on C2Box application disable JavaScript to disable client side validation and the value can be intercepted using a proxy and negative value can be inserted corrupting the business logic. # Disclosure: Discovered: June 10, 2015 Vendor Notification: June 10, 2015 Advisory Publication: Mar 28, 2016 Public Disclosure: Mar 28, 2016 # Solution: Upgrade to the latest Build will fix this issue. The new version number is 15.6.22 Release date: June 22, 2015   # credits: Harish Ramadoss Senior Security Analyst Help AG Middle East #References: [1] help AG middle East http://www.helpag.com/. [2] http://www.boxautomation.com/. [3] https://www.owasp.org/index.php/Unvalidated_Input [4] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top