Corda Path Disclosure and XSS

============================================================ FOREGROUND SECURITY, SECURITY ADVISORY 2013-002 - Original release date: July 12, 2013 - Discovered by: Adam Willard (Software Security Analyst at Foreground Security) - Contact: (awillard (at) foregroundsecurity (dot) com) - Severity: 4.3/10 (Base CVSS Score) ============================================================  I. VULNERABILITY ------------------------- Corda suffers Path Disclosure in Highwire.ashx and XSS vulnerabilities  II. BACKGROUND ------------------------- Corda Highwire allows you to generate pdf documents Corda Server .NET Redirector version: allows the Web server to handle client requests for visualizations.  III. DESCRIPTION ------------------------- Corda Path Disclosure in Highwire.ashx Corda Redirector XSS when a file isn't found   IV. PROOF OF CONCEPT ------------------------- Path Disclosure Execution of a url can expose the file system directory /highwire.ashx?url=../../  XSS Execution of a similar URL allows XSS to be run as long as the Domain of the File parameter matches the domains allowed http://<URL>/Corda/redirector.corda/? () _FILEhttp://<URL>/?<script>alert('Text')</script><iframe  src=></iframe>@_TEXTDESCRIPTIONEN   V. BUSINESS IMPACT ------------------------- Discover path structure of a drive and attempt directory/file traversal An attacker could perform session hijacking or phishing attacks.  VI. SYSTEMS AFFECTED ------------------------- Systems implementing Corda/Domo products  VII. SOLUTION ------------------------- Software has been marked EOL by Domo; Highwire products no longer supported.  VIII. REFERENCES -------------------------  IX. CREDITS ------------------------- This vulnerability has been discovered by Adam Willard (awillard (at) foregroundsecurity (dot) com)  X. REVISION HISTORY ------------------------- - July 12, 2013: Initial release.  XI. DISCLOSURE TIMELINE ------------------------- July 9, 2013: Issue identified within a deployed application by Adam Willard. July 9, 2013: Vulnerability discovered by Adam Willard. July 12, 2013: Contacted Vendor July 12, 2013: Vendor commented that the software is EOL with no support. July 12, 2013: Security advisory released.  XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use  or otherwise.

Foreground Security

Leave a Reply