Security Issues on Eramba
Researching the platform, me, Edward Amaral and my coworkers Kelvin Clark and Lucas Carmo, security researchers from Stone Payments found some security issues on the IT Governance, Risk & Compliance application, Eramba
Those Vulnerabilities were:
- XSS Storaged
- XSS Reflected on the import CSV error page
- XSS Reflected on date filter
- XSS Reflected Search Parameter
First i would like to explain a bit about Cross Site Scripting (XSS)
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.
For more reading about the issue, https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
On the Proofs of concept reported below i’ve put a script tag with the alert screen showing the Int 1, just to illustrate the issue. Normally a Attacker would put the variable document.cookie, for receiving the session cookie of the user!
Being said that, let’s start the report!
1- XSS Storaged
The first cross site script was on the tooltipbox on the https://-address>/programScopes description parameter,
The payload used was: <”img src=”” onerror=”alert(1);”>
2- XSS Reflected on the import CSV error page
The Second Cross Site Script was on the https://<ip-address>/importTool/preview, in the error page while importing a CSV with a HTML script tag inbued on the file.
The payload used was: <script>alert(1)</script>
3- XSS Reflected on date filter
the Third was found in the https://<ip-addres>/crons?advanced_filter=1&created__comp_type=0&created=%3Cscript%3Ealert(2)%3C%2Fscript%3E&created__show=1&type__show=1&execution_time__comp_type=0&execution_time__show=1&status__show=1&_limit=15
The payload used was <script>alert(2)</script>
4- XSS Reflected Search Parameter
The fourth was found in on the http://<ip-address>/reviews/filterIndex/ThirdPartyRiskReview? in the parameter advanced_filter.
The payload used was <script>alert(1)</script>
CVEs Related to this Post:
CVE-2018–7996
CVE-2018–7997
CVE-2018–7894
CVE-2018–7741