eFront Cross Site Scripting and Arbitrary File Upload Vulnerabilities
BID:53412
Info
eFront Cross Site Scripting and Arbitrary File Upload Vulnerabilities
| Bugtraq ID: | 53412 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | May 07 2012 12:00AM |
| Updated: | May 07 2012 12:00AM |
| Credit: | L3b-r1'z |
| Vulnerable: |
eFront eFront 3.6.11 |
| Not Vulnerable: | |
Discussion
eFront Cross Site Scripting and Arbitrary File Upload Vulnerabilities
eFront is prone to a cross-site scripting vulnerability and an arbitrary-file-upload vulnerability because it fails to properly sanitize user-supplied input.
Attackers can exploit these issues to steal cookie-based authentication information, execute arbitrary scripts in the context of the browser, upload and execute arbitrary files in the context of the webserver, and launch other attacks.
eFront 3.6.11 is vulnerable; other versions may also be affected.
eFront is prone to a cross-site scripting vulnerability and an arbitrary-file-upload vulnerability because it fails to properly sanitize user-supplied input.
Attackers can exploit these issues to steal cookie-based authentication information, execute arbitrary scripts in the context of the browser, upload and execute arbitrary files in the context of the webserver, and launch other attacks.
eFront 3.6.11 is vulnerable; other versions may also be affected.
Exploit / POC
eFront Cross Site Scripting and Arbitrary File Upload Vulnerabilities
Attackers can exploit these issues through a browser. To exploit a cross-site scripting vulnerability, an attacker must entice an unsuspecting user to follow a malicious URI.
Attackers can exploit these issues through a browser. To exploit a cross-site scripting vulnerability, an attacker must entice an unsuspecting user to follow a malicious URI.
Solution / Fix
eFront Cross Site Scripting and Arbitrary File Upload Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
eFront Cross Site Scripting and Arbitrary File Upload Vulnerabilities
References:
References:
- eFront Homepage (eFront)