Polaris’ Intellect Core Banking Software Version 9.7.1- Open Redirect [CVE-2018-14931]


[+] Credits: Neeraj Kumar, Hai Dang Long
[+] Email: neeraj.iiita2009@gmail.com

Vendor:
====================

Product:
===================
Polaris’ Intellect Core Banking, Core and Portal Module

Version:
===================
Affected Version: 9.7.1

Vulnerability Type:
====================
Open Redirect

CVE Reference:
==============
CVE-2018-14931

Vulnerability Details:
======================
Polaris’ Intellect Core Banking Software, In the Core module is vulnerable to open redirect vulnerability. Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

Exploit URL(s):
====================
http://<targetIP>/IntellectMain.jsp?IntellectSystem=https://google.com
It ill redirect to http://www.google.com

Affected Component:
====================
Parameters Name: IntellectSystem

Disclosure Timeline:
=====================
Vendor Notification: 17 June 2018
Mitre Notification: 04 August 2018
Public Disclosure: 31 March 2019

Attack Type:
=====================
Remote

Impact Code execution:
=====================
True

Impact Information Disclosure
=====================
True

Description:
=====================================================
Request Method(s): [+] Get
Vulnerable Product: [+] Polaris’ Intellect Core Banking, Core and Portal Modules
Vulnerable Parameter(s): [+] IntellectSystem
[+] Disclaimer
=====================================================
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c).

Comments

  1. Love your website. Keep up the good work.
    To get more Branding updates visit our
    brandebuzz.com website Smart Branding Solutions in Hyderabad

    ReplyDelete
  2. I came across your website. It’s awesome, dude. I told my brother about it. He’s bookmarked your site.
    To get more Branding updates visit our
    brandebuzz.com website Smart Branding Solutions in hyderabad

    ReplyDelete
  3. Great share!,
    To get more Branding updates visit our
    brandebuzz.com website Smart Branding Solutions

    ReplyDelete
  4. I was very pleased to find this great site. I need to to thank you for ones time for this fantastic read!! I definitely appreciated every part of it and i also have you book-marked to see new stuff on your web site.
    Tech PC

    ReplyDelete


  5. This post is really nice and informative. The explanation given is really comprehensive and informative. I also want to say about the digital marketing training .

    ReplyDelete
  6. Such a very useful article. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article. data analytics courses

    ReplyDelete
  7. I just got to this amazing site not long ago. I was actually captured ExcelR Pune Digital Marketing Course with the piece of resources you have got here. Big thumbs up for making such wonderful blog page!

    ReplyDelete
  8. Cool stuff you have and you keep ExcelR Digital Marketing Classes In Pune overhaul every one of us

    ReplyDelete
  9. Thank you for sharing this useful post with us. I have a nutrition & health-related website. I'm telling you about this beautiful topic and this topic is a core training. Core training is very impotent part for every human. I have a website and this website discusses human body fitness and nutrition. Read more please visit this website.

    ReplyDelete
  10. Great article like this require readers to think as they read. I took my time when going through the points made in this article. I agree with much this information.
    Best Data Science training in Mumbai

    Data Science training in Mumbai


    ReplyDelete

  11. You have provided very good information through blog and it is very important.
    Blockchain Training in Hyderabad

    ReplyDelete
  12. I’m impressed, I must say. Seldom do I come across a blog that’s both educative and interesting, and without a doubt, you have hit the nail on the technology head. The problem is an issue that not enough folks are speaking intelligently about. Now i'm very happy I stumbled across this during my hunt for something regarding this.

    ReplyDelete
  13. thanks for sharing nice information. its Very use full and informative and keep sharing.
    more : https://www.analyticspath.com/artificial-intelligence-training-in-hyderabad

    ReplyDelete
  14. thanks for sharing nice information. its Very use full and informative and keep sharing.
    more : https://www.kellytechno.com/Hyderabad/Course/AI-Training-In-Hyderabad

    ReplyDelete
  15. These ways are very simple and very much useful, as a beginner level these helped me a lot thanks fore sharing these kinds of useful and knowledgeable information.
    Banking Chatbot
    Bank Bot
    AI Chatbot for Banking
    Bank Chatbot

    ReplyDelete
  16. Howdy! I simply wish to offer you a big thumbs up for your great info you have got here on this post. I'll be returning to your blog for more soon.

    Data Science Training in Hyderabad

    ReplyDelete
  17. enterprise billing & pricing management solutions
    Personalize products, offers, pricing and loyalty programs; prevent revenue leakage and ensure regulatory compliance with an enterprise billing solution.


    ReplyDelete
  18. I am really happy to say it’s an interesting post to read . I learn new information from your article , you are doing a great job . Keep it up

    Devops Training in USA

    Hadoop Training in Hyderabad

    Python Training in Hyderabad

    ReplyDelete
  19. Great information about wilderness for beginners giving the opportunity for new people. Gaming Jackets

    ReplyDelete
  20. I really appreciate the kind of topics you post here. Thanks for sharing us a great information that is actually helpful.
    george michael leather jacket

    ReplyDelete
  21. Wow such an amazing content keep it up. I have bookmarked your page to check out more informative content here.

    SASVBA provides professional AI training course in Delhi with the help of industry experts. Artificial intelligence is a method of building a computer-controlled robot, computer, or software that thinks wisely as well as intelligently. It is science and technology-based on subjects such as computer science, biology, psychology, linguistics, mathematics, and engineering.

    FOR MORE INFO:

    ReplyDelete
  22. Hey, I agree with you and i have same dilemma. After reading your posts I went back in and I set my discussions such that now all my requirements related to banking software development company. This is really awesome but that's why you always crank out my friend. Great posts about Restaurant Order Management System that we can sink our teeth into and really go to work.

    Thanks for sharing, as otherwise i would not have thought about trying IT consulting companies in NYC.

    ReplyDelete
  23. Once again you provide several doses of reality which explore the complete explanation of packing and moving companies in Bangalore. This article don't have to be that long. I simply couldn't leave your web site before suggesting that I actually loved the usual info on packing and movers services in Bangalore.

    ReplyDelete
  24. core banking platform
    With SunTec Ecosystem Management, co-innovate and create solutions which solve specific customer lifecycle needs.

    ReplyDelete
  25. It's actually a great and helpful piece of information. I am satisfied that you just shared this useful information for us.
    Indian Freeway Jacket

    ReplyDelete
  26. This is great collection of shotguns at British shooting show. Drive Scorpion Jacket

    ReplyDelete
  27. banking software
    Personalize products, offers, pricing and loyalty programs; prevent revenue leakage and ensure regulatory compliance with a billing solution.

    ReplyDelete

  28. Excellent content ,Thanks for sharing this .,
    Leanpitch provides online training in ICP ACC, everyone can use it wisely.

    Agile coach certification
    ICP ACC certification

    ReplyDelete
  29. Great blog. You will find the loan application process effortless, convenient, and easy with Bhumi Finance. So, it allows you to fulfill your pre-owned car loan requirements and celebrate with your family without holding back. You can Business Loan Agents in Varanasi at any time via the website.

    ReplyDelete
  30. It is extremely nice to see the greatest details presented in an easy and understanding manner.
    data science course in hyderabad

    ReplyDelete
  31. I have to thank you for the time i spent on this especially great reading !! i really liked each part and also bookmarked you for new information on your site.

    Great information.Thanks for sharing the article
    Data science course in hyderabad
    Data science training in hyderabad

    ReplyDelete
  32. I have to thank you for the time i spent on this especially great reading !! i really liked each part and also bookmarked you for new information on your site.


    Data science course in hyderabad
    Data science training in hyderabad

    ReplyDelete
  33. Your internet site is in fact cool and this is a pleasant challenging article. thank you this is excellent blog. Facebook ID Password Hacker Software

    ReplyDelete
  34. Please proportion extra considering that. New net web site is calling high-quality. thanks for the pleasant effort. Recuva Crack

    ReplyDelete
  35. It is very interesting! Really useful for me and thank you for this amazing blog.
    Virginia Military Divorce

    ReplyDelete
  36. It is very useful for me and thank you so much for your sharing this post. Keep updating...
    Separation Before Divorce
    Cost of Legal Separation VS Divorce
    Online Solicitation Of A Minor

    ReplyDelete
  37. Buy rugged Android phones with Embrace Mobile to optimize efficiency and durability. Get durable android phone for enhanced performance and protection in challenging environments.

    ReplyDelete
  38. That's interesting indeed...

    Regards,
    BroadMind - IELTS coaching in Madurai

    ReplyDelete
  39. nice writting. Located in the middle of Kochi, Plan At Digital is a training institute for digital marketing. For diploma programmes in digital marketing, search engine optimisation (SEO), pay per click (PPC), and social media optimisation (SMO), we offer training in digital marketing courses in Kochi. Students, aspirants, businesspeople, entrepreneurs, marketing specialists, and independent contractors can all succeed in their careers with the support of our training and services.

    ReplyDelete
  40. It's actually a great and helpful piece of information. Detroit lions jacket

    ReplyDelete
  41. Its very nice blog really informative thanks for sharing. you can also try this.
    best jackets for men and women

    ReplyDelete

Post a Comment

Popular posts from this blog

Stored XSS Vulnerability in Hot Scripts Clone:Script Classified Version 3.1-[CVE-2018-7650]

Stored XSS Vulnerability in Bookme Control Panel 2.0-[CVE-2018-8737]