ConcourseSuite Support

Support
Corporate
PUBLIC PROFILE

SA-CORE-2012-001

SA-CORE-2012-001 - ConcourseSuite multiple vulnerabilities

Posted by Concursive Security Team on August 7, 2012 at 5:15pm EST

  • Advisory ID: CONCOURSESUITE-SA-CORE-2012-001
  • Project: ConcourseSuite
  • Version: 6.1 and prior versions
  • Date: 2012-08-07
  • Security risk: Less critical
  • Exploitable from: Interaction by a web user is required for this exploit to be successful
  • Vulnerability: Cross-site request forgery, script insertion

Description

Cross-Site Request Forgery

The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests.

This can be exploited to e.g. change access roles of a user when a logged-in administrative user visits a specially crafted web page. If such a form is hosted on another, trusted domain and being clicked on by an administrator of ConcourseSuite while being logged-in, the respective information will be updated.

To prevent this from happening, the Concursive Security Team followed the OWASP CRSF prevention measures.

Script Insertion

Input passed via multiple parameters and multiple scripts is not properly sanitized before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an effected site if malicious data is viewed.

This can be exploited by a user of the system whom updates contact or account information which then appears in the recent items or when address information is displayed on the record's details page.

To prevent this from happening, the Concursive Security Team followed the OWASP XSS prevention measures.

Versions

  • ConcourseSuite versions prior to 6.2 (20120806)

Solution

Install the latest version:

  • If you use ConcourseSuite 6.x, upgrade to ConcourseSuite 6.2
  • If you use ConcourseSuite 5.x, please contact Concursive on how you can upgrade to 6.2

Reported by

  • Matthew Joyce via Secunia SVCRP

Contact and More Information

The Concursive Security Team can be reached by using the Contact Us form on our website.

Sign in to add your comment.