SA-CORE-2012-001
SA-CORE-2012-001 - ConcourseConnect multiple vulnerabilities
Posted by Concursive Security Team on December 3, 2012 at 10:00am EST
- Advisory ID: CONCOURSECONNECT-SA-CORE-2012-001
- Project: ConcourseConnect
- Version: 2.0.2 and prior versions; 3.0 and 4.0 prior to 2012-11-07
- Date: 2012-12-03
- Security risk: Less critical
- Exploitable from: Interaction by a web user is required for this exploit to be successful
- Vulnerability: Cross-site request forgery, script insertion
Description
Cross-Site Request Forgery
The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests.
This can be exploited to e.g. change access roles of a user when a logged-in administrative user visits a specially crafted web page. If such a form is hosted on another, trusted domain and being clicked on by an administrator of ConcourseConnect while being logged-in, the respective information will be updated.
To prevent this from happening, the Concursive Security Team followed the OWASP CRSF prevention measures.
Script Insertion
Input passed via multiple parameters and multiple scripts is not properly sanitized before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an effected site if malicious data is viewed.
This can be exploited by a user of the system whom updates user profile information which then appears in the record's details page.
To prevent this from happening, the Concursive Security Team followed the OWASP XSS prevention measures.
Versions
- ConcourseConnect versions prior to 2.0.3; 3.0 and 4.0 prior to 2012-11-07
Solution
Install the latest version:
- If you use ConcourseConnect 2.0.2, upgrade to ConcourseConnect 2.0.3
- If you use ConcourseConnect 3.0 or 4.0, upgrade to ConcourseConnect 4.0 (2012-11-21)
Reported by
- Matthew Joyce via Secunia SVCRP
Contact and More Information
The Concursive Security Team can be reached by using the Contact Us form on our website.
Sign in to add your comment.