AOH :: HP Unsorted A :: BU-2079.HTM

Aris AGX agXchange ESM Cross Site Scripting Vulnerability



Aris AGX agXchange ESM Cross Site Scripting Vulnerability
Aris AGX agXchange ESM Cross Site Scripting Vulnerability



=========================================
Yaniv Miron aka "Lament" Advisory March 12, 2010
Aris AGX agXchange ESM Cross Site Scripting Vulnerability
=========================================

=====================
I. BACKGROUND
=====================

E2B safety submissions module.

When it comes to the electronic submission of safety data using the E2B format,
meeting the often complicated and complex requirements from different regulatory
agencies=97EMEA, MHLW, FDA and other NCAs=97can be a challenge that consumes
vast amounts of time, effort and resources.

http://www.arisglobal.com/products/agxchange_esm.php


=====================
II. DESCRIPTION
=====================

A malicious attacker may inject scripts into the agXchange ESM module in the Aris AGX application.

=====================
III. ANALYSIS
=====================

Exploitation of this vulnerability results in the execution of arbitrary
code using a malicious link.

=====================
IV. EXPLOIT
=====================

http://www.example.com/[agx_application]/pages/ucquerydetails.jsp?QueryID=>%22%27>

=====================
V. DISCLOSURE TIMELINE
=====================

Jan 2009 Vulnerability found
Jan 2009 Vendor Notification
March 2010 Public Disclosure

=====================
VI. CREDIT
=====================

Yaniv Miron aka "Lament".
lament@ilhack.org 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.