TUCoPS :: HP Unsorted S

TUCoPS :: HP Unsorted S :: bu-1904.htm
Sparta Systems TrackWise TeamAccess module Multiple Cross Site Scripting Vulnerabilities

Sparta Systems TrackWise TeamAccess module Multiple Cross Site Scripting Vulnerabilities Sparta Systems TrackWise TeamAccess module Multiple Cross Site Scripting Vulnerabilities


=========================================
Yaniv Miron aka "Lament" Advisory Feb 28, 2010
Sparta Systems TrackWise TeamAccess module Multiple Cross Site Scripting Vulnerabilities
=========================================

=====================
I. BACKGROUND
=====================
TrackWise=AE by Sparta Systems: A Holistic Approach to Enterprise Quality Management

TrackWise by Sparta Systems is an enterprise quality management solution (EQMS)
that optimizes quality, ensures compliance and reduces costs for world-class clients
across a range of industries. TrackWise is the only enterprise quality management solution that offers the flexibility and configurability

to adapt to company-specific business processes,
enabling our world-class clients across a range of industries to define, track, manage
and report on the core activities vital to their success.

http://www.spartasystems.com/trackwise-eqms/

=====================
II. DESCRIPTION
=====================

A malicious attacker may inject scripts into the TrackWise application.

=====================
III. ANALYSIS
=====================

Exploitation of this vulnerability results in the execution of arbitrary
code using a malicious link.

=====================
IV. EXPLOIT
=====================

">http://example.com/[TrackWiseDir]/servlet/TeamAccess/Login/">

">http://example.com/[TrackWiseDir]/servlet/TeamAccess/BatchEditProgress.html/">

=====================
V. DISCLOSURE TIMELINE
=====================

Jan 2009 Vulnerability Found
Jan 2009 Vendor Notification
Feb 2010 Public Disclosure

=====================
VI. CREDIT
=====================

Yaniv Miron aka "Lament".
lament@ilhack.org