ID: 3550
Date: 18/01/2008
Title: 3550 - Meridio Document and Records Management Vulnerability
Platform level affected:Net Application - Enterprise
Hardware components affected:Intel PC
Specific operating systems components affected: 32-bit Windows
Net-enabled software: Enterprise Application
Security software:Other
Other software: Other
Remediation Summary:Update your copy of the software with the download available from the supplier.
Vendors affected:Meridio
Applications affected:Meridio Document and Records Management
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Proof of concept
Potential Damage: Remote execution/modification
Possible Duration: Open Ended
Availability of fix: Available
Type of fix: Patch
Source: R Dominguez Vega, MWR InfoSecurity
Reliability of source: Trusted
Source URL: http://www.mwrinfosecurity.com/
CVE: Not Yet Assigned
Abstract: Meridio Document and Records Management has been identified as being vulnerable to an embedded Cross Site Scripting attack that could potentially allow remote attackers to inject JavaScript into the application.
Overview:
Meridio Document and Records Management has been identified as being vulnerable to an embedded Cross Site Scripting attack that could potentially allow remote attackers to inject JavaScript into the application. This would then be executed within the context of the browser of the application user.
Impact:
The impact of this attack is only limited by the creativity of the attacker exploiting this vulnerability. The most dangerous form of XSS involves hostile code being permanently stored within the application. This means the embedded code would be executed by every user accessing the affected page and this is the case in this instance.
Cause:
The exploitation of this vulnerability is possible because the Meridio Document and Records Management does not properly sanitise parameters that are passed to it. If a script is passed to one of the affected Meridio Document and Records Management parameters, the script is embedded into the application and therefore is returned to the user's browser in the server response and executed.
Interim Workaround:
No workarounds are known for this issue.
Solution:
Meridio have addressed this vulnerability and implemented a fix in version 4.3 SR1 and higher. These versions have yet to be tested.
It should be noted that this is not a current issue for customers and that the resolution update was made as far back as 2005.
Full advisory: http://www.mwrinfosecurity.com/publications/mwri_meridio-advisory-embedded-xss_2008-01-04.pdf
This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.
The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.
CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.
Fri, 18 Jan 2008 15:00:00 GMT
Domain affected: Technical