Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Thomson Reuters FATCA - Local File Inclusion

From: Etnies <kuba25101990 () gmail com>
Date: Mon, 10 Aug 2015 21:56:20 +0200
Title: Thomson Reuters FATCA - Local File Inclusion
Author: Jakub Pałaczyński
Date: 10. June 2015
CVE: CVE-2015-5952

Affected software:
==================

All versions of Thomson Reuters FATCA below v5.2

Exploit was tested on:
======================

Thomson Reuters FATCA v5.1.0.30

Description:
============

The Thomson Reuters for FATCA solution enables organizations to comply with
the key requirements of both CRS and FATCA.[1]


Vulnerabilities:
****************

Local File Inclusion:
============================================

Application's parameter "item" is vulnerable to Local File Inclusion, which
makes it possible to include application/system files.
Using this vulnerability FATCA users can for example include uploaded PHP
files (upload directory can be retrieved from the application's error
message) and execute system commands.

References:
===========

[1] Overview:
https://risk.thomsonreuters.com/products/thomson-reuters-fatca

Contact:
========

Jakub[dot]Palaczynski[at]ingservicespolska[dot]pl

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: