Plunet BusinessManager failure in access controls and multiple stored cross site scripting Jan 07 2009 05:58PM
Matteo Ignaccolo (h725ml securenetwork it)
Secure Network - Security Research Advisory

Vuln name: Failure in Access Controls; multiple Stored Cross Site Scripting
Systems affected: Plunet BusinessManager
Systems not affected:
Severity: High
Local/Remote: Remote
Vendor URL: http://www.plunet.de
Author(s): Matteo Ignaccolo m.ignaccolo (at) securenetwork (dot) it [email concealed] - Gabriele Zanoni
g.zanoni (at) securenetwork (dot) it [email concealed]
Relates to:
Vendor disclosure: 23/09/2008
Vendor acknowledged:
Vendor patch release:
Public disclosure: 23/12/2008
Advisory number: SN-2008-04
Advisory URL: http://www.securenetwork.it/advisories/

*** SUMMARY ***

Plunet BusinessManager is a powerful software for traslation companies, that
offers on a single platform a solution to handle customers, traslators,
document management, data, order management e processing.
Since Plunet BusinessManager suffers of incorrect validation of some input
forms, Stored Cross Site Scripting attacks are allowed.
Moreover customers and traslators can access data and file not related to


The application fails to perform a correct access control to data and file.
Any user (Customers and Traslators) colud retrive and alter data and
file not related to him. Also, an user could be easily enumerate all Company

The application fails to validate QUB and Bez74 parameters, so stored Cross
Scripting attacks are possible.

*** EXPLOIT ***

An authenticated Customer could use the following URL to access to other
Customers private area.


An authenticated Traslator could use the following URL to access Orders not
related to him



An authenticated traslator could use the following URL to access to Jobs not
related to him

http://domain/pagesUTF8/auftrag_job.jsp?OSG05=1944&anchor=AJob31944 surf jobs

Stored Cross Site Scripting

POST /pagesUTF8/auftrag_allgemeinauftrag.jsp HTTP/1.1
Host: <HOSTNAME> or IP
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:
Ubuntu/8.04 (hardy) Firefox/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://<hostname or IP>/pagesUTF8/auftrag_allgemeinauftrag.jsp
Cookie: JSESSIONID=0B1347DFFD031E6BC1944C381A31293D
Content-Type: application/x-www-form-urlencoded
Content-Length: 1085



No patch is currently available.


No workaround is available, but some application firewalls and IPS can be
reconfigured to thwart the attack.


Secure Network (www.securenetwork.it) is an information security company,
which provides consulting and training services, and engages in security
research and development.

We are committed to open, full disclosure of vulnerabilities, cooperating
whenever possible with software developers for properly handling disclosure.

This advisory is copyright 2008 Secure Network S.r.l. Permission is
hereby granted for the redistribution of this alert, provided that it is
not altered except by reformatting it, and that due credit is given. It
may not be edited in any way without the express consent of Secure Network
S.r.l. Permission is explicitly given for insertion in vulnerability
databases and similars, provided that due credit is given to Secure Network.

The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. This information is
provided as-is, as a free service to the community by Secure Network
research staff. There are no warranties with regard to this information.
Secure Network does not accept any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

If you have any comments or inquiries, or any issue with what is reported
in this advisory, please inform us as soon as possible.

E-mail: securenetwork (at) securenetwork (dot) it [email concealed]
GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc
Phone: +39 02 24 12 67 88

Dott. Ing. Matteo Ignaccolo

Secure Network S.r.l.
Via Venezia, 23 - 20099 Sesto San Giovanni (MI) - Italia
Tel: +39 02.24126788
email: m.ignaccolo (at) securenetwork (dot) it [email concealed]
web: www.securenetwork.it
Dott. Ing. Matteo Ignaccolo

Secure Network S.r.l.
Via Venezia, 23 - 20099 Sesto San Giovanni (MI) - Italia
Tel: +39 02.24126788
email: m.ignaccolo (at) securenetwork (dot) it [email concealed]
web: www.securenetwork.it

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus