CVE-2014-7290 Atlas Systems Aeon Web Application Service XSS (Cross-Site Scripting) Vulnerability

Exploit Title: Atlas Systems Aeon XSS Vulnerability
Product: Aeon

Vendor: Atlas Systems

Vulnerable Versions: 3.6 3.5

Tested Version: 3.6

Advisory Publication: Nov 12, 2014

Latest Update: February 14, 2015

CVE Reference: CVE-2014-7290

Vulnerability Type: Cross-Site Scripting [CWE-79]
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Solution Status: Fixed by Vendor
Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Caution Details:


(1) Vendor & Product Description:


Vendor:
Atlas



Product & Vulnerable Versions:
Aeon
3.6 3.5



Vendor URL & Download:
Product can be obtained from here,
http://www.atlas-sys.com/aeon/

What is Aeon?
"Aeon is special collections circulation and workflow automation software for your special collections library designed by special collections librarians.

Aeon improves customer service and staff efficiency while providing unparalleled item tracking, security and statistics.

Aeon is request and workflow management software specifically designed for special collections libraries and archives. Aeon improves patron service and maximizes staff efficiency while providing unparalleled item tracking, security and statistics.The Aeon Web Interface enables your patrons to request items directly from your online catalog and finding aids for viewing in your reading room or ordering duplication and digital imaging services, and allows them to monitor fulfillment of their requests through a personalized web account. The Aeon Staff Client permits your staff to manage every step of every transaction, from shelf to patron and back again, with full control and ease. The Aeon Web Reports and custom search features provide quick access to complete patron and item request histories and offer a wide array of usage analyses"

About Atlas:
"Atlas Systems, Inc. is a software development company headquartered in Virginia Beach, VA dedicated to serving libraries. Founded in July 1995 with the mission of “promoting library excellence through efficiency,” Atlas is best known for creating  the ILLiad interlibrary loan management system now exclusively distributed by OCLC and used by more than 1,000 libraries worldwide. Focused on bringing the benefits of automation to library processes that have not been addressed by other software services, Atlas has introduced Ares, an electronic reserves solution, and Aeon, an online request and workflow management system specifically designed for special collections libraries and archives. Atlas takes a process-driven approach to software development. Atlas developers work closely with librarians first to understand the specific user services environment and then to design a system that improves service quality while achieving optimum efficiency and process control. Once the software has been created, Atlas provides implementation, training and ongoing product support, including continual development of new features and enhancements in response to client needs and desires. This workflow review and improvement approach to software design sets Atlas apart in the library automation market."


From:
https://www.atlas-sys.com/products/aeon/downloads/10_112_aeon_broch_web.pdf







(2) Vulnerability Details:
Aeon web application has a computer security problem. Hackers can exploit it by reflected XSS cyber attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by some other bug researchers before. Aeon has patched some of them. "scip AG was founded in 2002. We are driven by innovation, sustainability, transparency, and enjoyment of our work. We are completely self-funded and are thus in the comfortable position to provide completely independent and neutral services. Our staff consists of highly specialized experts who focus on the topic information security and continuously further their expertise through advanced training".

(2.1) The first code flaw occurs at “aeon.dll?” page, with “&Action” parameter.

(2.2) The second code flaw occurs at “aeon.dll?” page, with “&Form” parameter.

(3) Solutions:

2014-09-01: Report vulnerability to Vendor

2014-10-05: Vendor replied with thanks and vendor will change the source code

References:

http://tetraph.com/security/xss-vulnerability/cve-2014-7290
https://progressive-comp.com/?l=full-disclosure&m=141599346408756&w=1

http://germancast.blogspot.com/2015/01/aeon-xss-zero-day-bug.html

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7290

http://www.securityfocus.com/bid/71185

http://computerobsess.blogspot.com/2014/11/cve-2014-7290-atlas-systems-aeon-xss.html
http://www.scap.org.cn/CVE-2014-7290.html
https://cxsecurity.com/issue/WLB-2014110105

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01309.html
http://marc.info/?l=full-disclosure&m=141599346408756&w=4
https://packetstormsecurity.com/files/129114/Atlas-Systems-Aeon

https://vulnerabilitypost.wordpress.com/2014/12/04/cve-2014-7290