This article presents a detailed vulnerabilities discovered in the BizTalk360 application earlier versions. The vulnerabilities possess significant risks to the application's integrity and the confidentiality of its data. This report will cover the identification of vulnerabilities and steps taken to address them.
Category | How is it vulnerable? | How is it fixed? | Fixed Versions |
|---|---|---|---|
Information Disclosure | The application returned default error messages that exposed sensitive information such as server architecture, version details, file existence, and user presence. These verbose errors could lead to gain information from the system. | Detailed error messages that exposed server information have been replaced with IIS custom error pages for all remote/domain users. Only users accessing BizTalk360 directly from the IIS server (for troubleshooting purposes) will see detailed errors, controlled via | 11.6 |
Insecure File Handling | The profile image upload functionality did not enforce unique filenames, allowing one user to overwrite another user’s profile picture by uploading a file with the same name. Additionally, open directory listing made it possible for users to view all stored profile images and filenames. | Profile images are now stored with a unique filename by appending the username which prevents file overwriting and ensures each user’s profile picture remains isolated and protected | 11.6 |
Arbitrary File Read | The | The | 11.6 |
Directory traversal and absolute path overwrite | The | The UploadFile API now only accepts actual uploaded files (not client-supplied paths); it normalizes and validates filenames, rejects absolute paths and traversal sequences, enforces an allowlist for filenames/extensions, and saves files into a controlled, per-application directory. | 11.6 |
Broken Access Control | The anonymous user can access the APIs to upload files/DLLs, and a few APIs on the settings side are vulnerable due to missing role-based access controls and insufficient validation of uploaded files and configuration. | Now Superuser have the privilege to access the following API methods. For other user roles, API access is restricted.
| 11.5 |
SQL Injection | There is a possibility that an anonymous user might be able to modify the SQL logic and gain access to the database. The application appeared to suffer from SQL Injection in several parameters sent in multiple different requests. | UpdateEsbExceptionDbConfig, ValidateESBPortalSetting and UpdateFeatureVisits APIs are prone to SQL Injection. Those APIs are identified and necessary changes has been made to prevent SQL injection attack. | 11.2 |
Database connection string disclosed | A database connection string specifies information about a data source and the means of connecting to it. In web applications, connection strings are generally used by the application tier to connect to the back database used for storing application data. ESB Connection string are stored in database without encrypting. | It is almost never necessary for applications to disclose database connection strings to clients. The reason for the disclosure has been reviewed and addressed. | 11.2 |
Elevated bundle temporary directory vulnerability | In WiX versions prior to v3.14.1, standard users could manipulate temporary files from elevated bundle launches, potentially leading to DLL injection attacks due to temporary folders located in the accessible Windows Temp directory. | The WiX toolset was updated to version 3.14.1, this update relocates temporary folders to a secure location inaccessible to standard users. | 11.0 |
information leaking | When an applicative error occurs, the server returns a stack trace containing several pieces of information such as the physical path, library version and source code. With that the HTTP response headers contain IIS and ASP versions. | Information related to IIS and ASP versions has been removed from the stack trace. | 10.8 |
Directory listing | Previously, there were an option to browse the content of the server directory. | Disable Directory browsing in IIS webserver is handled at installer level. | 10.8 |
Cross-site scripting (DOM-based) | DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of the DOM (for example, the URL) and processes this data in an unsafe way. | The document.write method, which was previously used to generate the URL enabling anonymous users to modify the script, has been removed. | 10.8 |
Database connection string disclosed | A database connection string specifies information about a data source and the means of connecting to it. In web applications, connection strings are generally used by the application tier to connect to the back database used for storing application data. | It is almost never necessary for applications to disclose database connection strings to clients. The reason for the disclosure has been reviewed and addressed. | 10.8 |
Unencrypted Communication | In certain requests, the application is communicated over HTTP in which information and authentication tokens are sent in clear text over the network. And there is no possibility to connect to the application over HTTPS. | This is mitigated by allowing BizTalk360 application to communicate via HTTPS. | 10.6 |
SQL Injection | There is a possibility that an anonymous user might be able to modify the SQL logic and gain access to the database. The application appeared to suffer from SQL Injection in several parameters sent in multiple different requests. | This has been handled by using parameterized queries for all database access. | 10.3 |
Stored XSS | The avatar functionality is impacted by a stored XSS, by uploading image file on the profile icon. When opening the file, the HTML/JavaScript content is displayed without any type of sanitization. | It is being prevented users from storing any HTML/JavaScript files on the application. | 10.3 |
Remote code execution | In the user profile icon, it is possible to store ASP file. By using such files, it is possible to execute commands on the underlying server such as getting the current working directory or current working users. | Users are prevented from storing any ASP files in the application. | 10.3 |
Missing Headers | Some security mechanisms could be implemented using HTTP headers in order to better protect the users of the website. | Strict-Transport-Security : "max-age=31536000; includeSubDomains; preload" |