Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29553
HistoryJul 15, 2013 - 12:00 a.m.

[Foreground Security 2013-002]: Corda Path Disclosure and XSS

2013-07-1500:00:00
vulners.com
51

Corda Path Disclosure and XSS

FOREGROUND SECURITY, SECURITY ADVISORY 2013-002

  • Original release date: July 12, 2013
  • Discovered by: Adam Willard (Software Security Analyst at Foreground Security)
  • Contact: (awillard (at) foregroundsecurity (dot) com)
  • Severity: 4.3/10 (Base CVSS Score)
    ============================================================

I. VULNERABILITY

Corda suffers Path Disclosure in Highwire.ashx and XSS vulnerabilities

II. BACKGROUND

Corda Highwire allows you to generate pdf documents
Corda Server .NET Redirector version: 7.3.11.6715 allows the Web server to handle client requests for visualizations.

III. DESCRIPTION

Corda Path Disclosure in Highwire.ashx
Corda Redirector XSS when a file isn't found

IV. PROOF OF CONCEPT

Path Disclosure
Execution of a url can expose the file system directory
/highwire.ashx?url=…/…/

XSS
Execution of a similar URL allows XSS to be run as long as the Domain of the File parameter matches the domains allowed
http://<URL>/Corda/redirector.corda/?@_FILEhttp://<URL>/?<script>alert('Text')</script><iframe src=http://www.exploit-db.com></iframe>@_TEXTDESCRIPTIONEN

V. BUSINESS IMPACT

Discover path structure of a drive and attempt directory/file traversal
An attacker could perform session hijacking or phishing attacks.

VI. SYSTEMS AFFECTED

Systems implementing Corda/Domo products

VII. SOLUTION

Software has been marked EOL by Domo; Highwire products no longer supported.

VIII. REFERENCES

http://www.domo.com
http://www.foregroundsecurity.com

IX. CREDITS

This vulnerability has been discovered by Adam Willard (awillard (at) foregroundsecurity (dot) com)

X. REVISION HISTORY

  • July 12, 2013: Initial release.

XI. DISCLOSURE TIMELINE

July 9, 2013: Issue identified within a deployed application by Adam Willard.
July 9, 2013: Vulnerability discovered by Adam Willard.
July 12, 2013: Contacted Vendor
July 12, 2013: Vendor commented that the software is EOL with no support.
July 12, 2013: Security advisory released.

XII. LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.