Microsoft Service – Persistent Web Vulnerabilities

Date:
=====
2012-04-14

References:
===========
http://www.vulnerability-lab.com/get_content.php?id=433
http://www.vulnerability-lab.com/get_content.php?id=439

MSRC ID: 12209nj

VL-ID:
=====
433

Introduction:
=============
Official Microsoft Partner Program and Application Service. A Microsoft Certified Partner is an independent company that 
provides Microsoft-related products or services. Microsoft Certified partners provide Microsoft services on behalf of 
Microsoft worldwide spanning many fields including OEM, Education, Software providers and Technical Support. Microsoft 
partners also have 24-hour access to Microsoft Support, which enables them to give better customer relations and support 
to a customer. Every Microsoft Certified Partner has been in business for at least 5 years, has passed several tests, and 
has proven skills in their particular field. Microsoft rewards these partners with discounts in tools that are applicable 
to their activities. For example, in the educational field this might take the form of licenses to Microsoft Windows and 
Microsoft Office. In return for participation in the program, partners gain support services and tools from Microsoft, 
often at a significant discount to their face value. However, over the lifetime of the contract some risk is transferred 
from Microsoft to the Microsoft Partner Network in return for the benefits of the association with Microsoft and the ability 
to sell the support services.

(Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Microsoft_Certified_Partner)

Abstract:
=========
A Vulnerability Lab Researcher discovered a persistent web vulnerability on Microsofts official Partners Application Service.

Report-Timeline:
================
2012-02-11:	Vendor Notification
2012-02-00:	Vendor Response/Feedback
2012-04-10:	Vendor Fix/Patch by Check 
2012-04-14:	Public or Non-Public Disclosure

Status:
========
Published

Exploitation-Technique:
=======================
Remote

Severity:
=========
Medium

Details:
========
Multiple persistent input validation vulnerabilities are detected on Microsofts official Partner Network 
Application Service. The vulnerability allows an remote attacker or local low privileged user account to 
inject/implement malicious persistent script code (Application-Side). Successful exploitation with low 
required user inter action can result in session hijacking against admin, moderator & customer sessions or 
allows an attacker to manipulate requests via persistent script code inject. The vulnerability is located on 
the Company & Mobile Phone Number input fields of the microsoft partner network service application user profile.

Vulnerable Module(s):
				[+] Company & Mobile Phone Number (Profile)
				[+] Company Name Profile Listing

评论关闭。