Numara FootPrints Script Insertion and Command Execution
Sunday, 16 March 2008
Some vulnerabilities have been discovered in Numara FootPrints, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to compromise a vulnerable system.
1) Input passed to the "Title" form field parameter when creating an appointment is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which is then executed in a user's browser session in context of an affected site when the malicious data is viewed.
Successful exploitation requires valid user credentials.
2) Input passed to the "PROJECTNUM" parameter in MRcgi/MRProcessIncomingForms.pl is not properly sanitised before being used in a call to "system()". This can be exploited to inject and execute arbitrary commands using e.g. the "|" character.
The vulnerabilities are confirmed in version 8.1 on Linux. Other versions may also be affected.
Restrict network access and grant only trusted users access to the application.
Provided and/or discovered by:
1) An anonymous person
2) Ricky Zhou
2008-03-11: Added CVE reference.
Share this content: