BizTalk360 CVE Report
  • 23 May 2024
  • 4 Minutes to read
  • Dark
    Light
  • PDF

BizTalk360 CVE Report

  • Dark
    Light
  • PDF

Article summary

Vulnerabilities Addressed 

This article presents a detailed CVE report for a specific vulnerability discovered in the BizTalk360 application earlier. The vulnerabilities possess significant risks to the application's integrity and the confidentiality of its data. This report will cover the identification of vulnerabilities and steps taken to address them.

CategoryHow is it vulnerable?How is it fixed?Fixed Versions
Elevated bundle temporary directory vulnerability
In WiX versions prior to v3.14.1, standard users could manipulate temporary files from elevated bundle launches, potentially leading to DLL injection attacks due to temporary folders located in the accessible Windows Temp directory.
The WiX toolset was updated to version 3.14.1, this update relocates temporary folders to a secure location inaccessible to standard users.
V11.0
Technical information leaking

When an applicative error occurs, the server returns a stack trace containing several pieces of information such as the physical path, library version and source code. With that the HTTP response headers contain IIS and ASP versions.
Information related to IIS and ASP versions has been removed from the stack trace.
V10.8
Directory listing

Previously, there were an option to browse the content of the server directory.
After installing BizTalk360 application, Directory browsing has been disabled in IIS webserver by default.
V10.8
Cross-site scripting (DOM-based)

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of the DOM (for example, the URL) and processes this data in an unsafe way.
The document.write method, which was previously used to generate the URL enabling anonymous users to modify the script, has been removed.

V10.8
Database connection string disclosed

A database connection string specifies information about a data source and the means of connecting to it. In web applications, connection strings are generally used by the application tier to connect to the back database used for storing application data.
It is almost never necessary for applications to disclose database connection strings to clients. The reason for the disclosure has been reviewed and addressed.
V10.8
Unencrypted CommunicationIn certain requests, the application is communicated over HTTP in which information and authentication tokens are sent in clear text over the network. And there is no possibility to connect to the application over HTTPS.This is mitigated by allowing BizTalk360 application to communicate via HTTPS.V10.6
SQL InjectionThere is a possibility that an anonymous user might be able to modify the SQL logic and gain access to the database. The application appeared to suffer from SQL Injection in several parameters sent in multiple different requests.This has been handled by using parameterized queries for all database access.V10.3
Stored XSS
The avatar functionality is impacted by a stored XSS, by uploading image file on the profile icon. When opening the file, the HTML/JavaScript content is displayed without any type of sanitization.It is being prevented users from storing any HTML/JavaScript files on the application.V10.3
Remote code execution
In the user profile icon, it is possible to store ASP file. By using such files, it is possible to execute commands on the underlying server such as getting the current working directory or current working users.Users are prevented from storing any ASP files in the application.V10.3

Known Vulnerabilities

When assessing and managing vulnerabilities within the application, it is typically prioritized based on the potential impact and likelihood of exploitation. For few vulnerabilities has to adjust the configuration in the hosted environment. And some vulnerabilities are considered less critical and may be given a lower priority or even deemed negligible for various reasons. Here are some categories and examples of such vulnerabilities, along with an explanation and solution to mitigate it.

CWE-319

Summary:  Insecure Transport (Medium)

A link is functional over an insecure, HTTP connection. No redirection to HTTPS occurs. Note that this QID is reported for 200/OK responses as well as 4xx and 5xx responses.

Description:

Data sent over a non-HTTPS connection is unencrypted and vulnerable to network sniffing attacks that can expose sensitive or confidential information. This includes non-secure cookies and other potentially sensitive data contained in HTTP headers. Even if no sensitive data is transmitted, man-in-the-middle (MITM) attacks are possible over non-HTTPS connections. An attacker who exploits MITM can intercept and change the conversation between the client (e.g., web browser, mobile device, etc.) and the server.

Solution:

Ensure that all links are accessible over HTTPS only. The most secure design is for the application to listen and respond only to encrypted HTTPS requests. Alternatively, if non-HTTPS requests are accepted, the server should redirect these requests to HTTPS using a 301 or 302 response. Installing BizTalk360 and accessing it over HTTPS, this can be mitigated.

CWE-200 

Summary:  Web Server Information Disclosure (Low)

The target application discloses the Web Server software version via the "Server:" token sent in HTTP response header.

Description:

Revealing the specific software version of the server may allow the server machine to become more vulnerable to attacks against software that is known to contain security holes.

Solution:

Customers are advised to modify the HTTP response header of the target application to not disclose detailed information about the underlying web server. Server implementers are encouraged to make this field a configurable option. Installing BizTalk360 and accessing it over HTTPS, this can be mitigated. 


Was this article helpful?

What's Next