BugTraq
SEC Consult SA-20180514-0 :: Arbitrary File Upload & Cross-site scripting in MyBiz MyProcureNet May 14 2018 11:25AM
SEC Consult Vulnerability Lab (research sec-consult com) (1 replies)
Re: SEC Consult SA-20180514-0 :: Arbitrary File Upload & Cross-site scripting in MyBiz MyProcureNet May 15 2018 06:43AM
SEC Consult Vulnerability Lab (research sec-consult com)
The following CVE numbers have been assigned now:
XSS issue: CVE-2018-11090
Arbitrary File Upload: CVE-2018-11091

On 2018-05-14 13:25, SEC Consult Vulnerability Lab wrote:
> SEC Consult Vulnerability Lab Security Advisory < 20180514-0 >
> =======================================================================
> title: Arbitrary File Upload & Cross-site scripting
> product: MyBiz MyProcureNet
> vulnerable version: 5.0.0
> fixed version: unknown
> CVE number: -
> impact: Critical
> homepage: http://www.mybiz.net/
> found: 2018-01-29
> by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur)
> Fikri Fadzil (Office Singapore)
> Wan Ikram (Office Kuala Lumpur)
> Jasveer Singh (Office Kuala Lumpur)
> SEC Consult Vulnerability Lab
>
> An integrated part of SEC Consult
> Europe | Asia | North America
>
> https://www.sec-consult.com
>
> =======================================================================
>
> Vendor description:
> -------------------
> "MyBiz is a company fixated on developing technology which transforms the way
> business is done online. At the intersection of what one business needs from
> another is the potential for value to be created differently. This
> intersection for the exchange of value requires technology but in
> fundamentally very different ways from traditional enterprise systems. MyBiz
> believes that the chemistry of business is the business relationships between
> enterprises. The strength of the business relationship drives the success and
> future of the business. MyBiz believes that these business relationships need
> to be captured and orchestrated. MyBiz developed our proprietary Business
> Relationship Network engine, a platform to capture business relationships as
> data to drive new business services which create value efficiently."
>
> Source: http://www.mybiz.net/copy-of-our-story
>
>
> Business recommendation:
> ------------------------
> The vendor did not reply to our inquiries since February 2018 hence the issues
> might still exist in current versions.
>
> SEC Consult recommends not use this product until a thorough security review
> has been performed by security professionals and all identified issues have
> been resolved. It is assumed that MyBiz products are affected by further
> critical security issues.
>
>
> Vulnerability overview/description:
> -----------------------------------
> The identified vulnerabilities can be exploited after authentication but
> the registration for the application is usually open for anyone.
>
> 1. Arbitrary File Upload
> A malicious file can be uploaded to the webserver by an attacker. It is
> possible for an attacker to upload a script to issue operating system
> commands.
>
> This vulnerability occurs because an attacker is able to adjust the
> "HiddenFieldControlCustomWhiteListedExtensions" parameter and add arbitrary
> extensions to the whitelist during the upload.
>
> For instance, if the extension .asp is added to the
> "HiddenFieldControlCustomWhiteListedExtensions" parameter, the server
> accepts "secctest.asp" as legitimate file. Hence malicious files can be
> uploaded in order to execute arbitrary commands to take over the server.
>
>
> 2. Reflected Cross-site scripting
> This vulnerability within "ProxyPage.aspx" allows an attacker to inject
> malicious client side scripting which will be executed in the browser of
> users if they visit the manipulated site.
>
>
> Proof of concept:
> -----------------
> The proof of concept has been removed as no patch is available.
>
>
> Vulnerable / tested versions:
> -----------------------------
> MyBiz MyProcureNet version 5.0.0 has been tested and found to be vulnerable. This
> was the latest version available at the time of the test.
>
>
> Vendor contact timeline:
> ------------------------
> 2018-02-22: Contacting vendor through info (at) mybiz (dot) net [email concealed] (no response)
> 2018-02-27: Request update from vendor (no response)
> 2018-03-13: Trying to contact via web form http://www.mybiz.net/contact-us
> (no response)
> 2018-05-14: Public release of security advisory
>
>
> Solution:
> ---------
> None
>
>
> Workaround:
> -----------
> None
>
>
> Advisory URL:
> -------------
> https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> SEC Consult Vulnerability Lab
>
> SEC Consult
> Europe | Asia | North America
>
> About SEC Consult Vulnerability Lab
> The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
> ensures the continued knowledge gain of SEC Consult in the field of network
> and application security to stay ahead of the attacker. The SEC Consult
> Vulnerability Lab supports high-quality penetration testing and the evaluation
> of new offensive and defensive technologies for our customers. Hence our
> customers obtain the most current information about vulnerabilities and valid
> recommendation about the risk profile of new technologies.
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Interested to work with the experts of SEC Consult?
> Send us your application https://www.sec-consult.com/en/career/index.html
>
> Interested in improving your cyber security with the experts of SEC Consult?
> Contact our local offices https://www.sec-consult.com/en/contact/index.html
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Mail: research at sec-consult dot com
> Web: https://www.sec-consult.com
> Blog: http://blog.sec-consult.com
> Twitter: https://twitter.com/sec_consult
>
> EOF Ahmad Ramadhan / @2018
>

0? *?H?÷
 ?0?10
 `?He0? *?H?÷
 ? 0?¯0?? à#Ë?S?­anzTgk!0
 *?H?÷
 0o1 0 USE10U
 AddTrust AB1&0$U AddTrust External TTP Network1"0 UAddTrust External CA Root0
141222000000Z
200530104838Z0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0?"0
 *?H?÷
?0?
??±
ÚzSNpR¼V¦&·¸Ià?çQ«ñðZI£´?`¼zQB§y?¤"ßaN?Õv#
ÓJ¶ ?n¥=Ùº»þ¡?©.CRC|¯2PȦOZéØÏ?%?{?è0dæ¤øV?ý*$3?¬Dåi?£FKÂ3Ôé@?°±¬?@¹
µ?:?*S£Û= a<U?ÙNv%!)ú£|qvOîá_éûT?ÛÃ{5R·?Þ"=,0-1Y½R7°3i-CëúÖ¥ñ?wgQ?Ùî'ë¼¥8v?¤©
8ÿß?õ¬I¾Ê÷s?:2«??:=F:WtaP¾Æ@?Ëäâ?¢!£?0?0U#0?­½?z4´&÷
úÄ&Tï½à$ËT0U?ak?ᢠªOìgñ£÷´?Áì0Uÿ?0Uÿ0
ÿ0U%0++0U 
00U 0DU=0;09 7 5?3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
+)0'0%+0?http://ocsp.usertrust.com0
 *?H?÷
 ?*n¬UÁ:«?ÅØíÍUóªka+À #?Åfjo±õ´µw^aß}þ³¤??üû[jr
A¼ºÁXÕ&ÂêÕM?ûþ??ÏXã"c?Rø»6«}X¥Þ«;cåÚÕsïìàû{â£ÿðB#?ʶM>äK²¨-ÔØ»BKi
?Û¦74è{à¥?Ê:Ç?O?4n?eÐ?»©ÜÊÊ6ÑôüÂd)5¯Ö±§qÒC±>?ì?2Sôv?Ê?4¹,ÊæJØ?
Á?â?ûZBj#!éeÇõÕ»~ê?? bêÑ:,YÅ?3ò8?å¶ézyöJ&ú|?û?0?a0?I +?þ%³`??5T«´0
 *?H?÷
 0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0
170301000000Z
200229235959Z0?W1 0 UAT1
0 U270010UNiederoesterreich10U Wr. Neustadt10U Komarigasse 14/11.0,U
%SEC Consult Unternehmensberatung GmbH1I0GU @Issued through SEC Consult Unternehmensberatung GmbH E-PKI Manag10U Corporate Secure Email1&0$USEC Consult Vulnerability Lab1'0% *?H?÷
 research (at) sec-consult (dot) com0 [email concealed]?"0
 *?H?÷
?0?
?çââ³×p¼¬ÉÓ#ëäoú=1X ÏsÍldhmþ·}jµ?ýySüx??¡%Vl´9«ÖHÍO½Ë Z|¢ò?q4äËg?7ò?ù?t¥Á±å1Pzò¦<*WÒj,?%x?? ä??F ¼ÜpF/*ÛЩk*TÅöb²??ÖӏñÏZ?QP´?wH;qf¢?r5·ÉyhXcü(#1~ ôYS"YÐ`U
?øô¤rP1u^ËØP.ëë?f}SÅäÖ[Hd¥ ¢áorà­ ÔB?{u·@J·²¨°×®6vL±
h:?i -V£?ËLBóa£?à0?Ü0U#0??ak?ᢠªOìgñ£÷´?Áì0U
G?gx.§~¢Òü¥El?%0Uÿ 0 Uÿ00U%0++0FU ?0=0; +²10+0)+https://secure.comodo.net/CPS0]UV0T0R P
 N?Lhttp://crl.comodoca.com/COMODOSHA256ClientAuthenticationandSecureEma
ilCA.crl0+?0?0X+0?Lhttp://crt.comodoca.com/COMODOS
HA256ClientAuthenticationandSecureEmailCA.crt0$+0?http://ocsp.c
omodoca.com0#U0research (at) sec-consult (dot) com0 [email concealed]
 *?H?÷
 ?CÑË×úpÿtR
ðH§Àz7!]J ºæû¼]¨µX i?òÉ£­©cwSÀ/?­?ÓOÑ:þ Úøw?P[óü¹ÁÒ&©ã?ü-6?L5Y?ù6àòÀõ$Äð?z¼.È?ïNþ±ñ?øK×ÈV ® ¯ä@nÞ9ó¹Rk«*Ò¶èDÞÞ
(D'I5Ëé
{Ë­à¦]FϨújRO^pº=õ ?æ?18!??¤q µa=c@2ÞTC?ïþ´4?~-?ø¿À?Hÿ¹¨r.ÁØ ØXW?YÊÆ?á:??ZÔûµ4àÒ2CSq3»?`Û?I?Ö²Ë3gj?ù»º x1?A0?=0°0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA+?þ%³`??5T«´0
 `?He ?a0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
180515064317Z0/ *?H?÷
 1" ®¼S Ëæ?긧å»{H ìQсà[
çßã¶j¯0l *?H?÷
 1_0]0  `?He*0  `?He0
*?H?÷
0*?H?÷
?0
*?H?÷
@0+0
*?H?÷
(0Á +?71³0°0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA+?þ%³`??5T«´0Ã *?H?÷
  1³ °0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA+?þ%³`??5T«´0
 *?H?÷
?à6±PÞQ?ù=Ë
?³ý?j0h?ïòÜ?Vü,#ñ¨~¢fGE@q1¥0>C¨l±éG??.7Ë?ÃÏ?ÁZù%?þ Èh2?°[u?UeFã3÷p?!üÐì<û3FËUýXSW^·M:ü»«C\Ü©Í2ýuÕ?÷÷ØV@]b?áÛå(d'KW
b4l¨Ô*? yô#ØçcþqlMRÌY @?T]Ä¡ìú]à"???ìEóþæUµÌnà6?ÆÎ|G<À×èý?ÓõQ@£?0<¤Nrñì»á??(??U?y7R
S?~¡:÷?ÌA/Èã?uø~J?Éh>¬»»

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus