Seven Layers delivers comprehensive, dependable, and cost-effective solutions tailored to our clients’ needs and budgets. We offer cutting edge defensive security strategies to provide you with the ability to protect key systems and information – and can pair those with traditional information technology services to keep your business up and running, so you can focus on the business that is important to you.

    We provide penetration testing services and vulnerability assessments for peace of mind, risk management, and regulatory compliance. And because your employees are often your first line of defense - or weakness – we offer employee education in computer security and corporate security policies.

    Our support services cover your full suite of end user desktops, in-house servers, cloud-based servers, and cloud services. This includes seamless support for employees in all locations, whether they are in corporate offices, or are remote users. We will manage and develop content management systems, customized software and web applications, as well as working with off the shelf applications.


     

    Disclosure date: 01/07/20

    CVE-2020-6583

    Online Invoicing System (OIS) version 2.6 and possibly before are affected by a cross site scripting vulnerability that can be leveraged for session hijacking.  An attacker can exploit the XSS vulnerability, retrieve the session cookie from the administrator login, and take over the administrator account.

    Add New Client:




    Insert XSS:





    Note the script tags are removed from the UI:






    But not in the SQL DB:






    When viewing the Reports page:






    Leveraging the XSS to steal the session cookie:






    Again, the script tags are removed:






    But we get execution and can retrieve the session cookie:






    We access the site from an unauthenticated browser:






    We inspect the cookie:






    We replace the cookie:






    We refresh the page and we notice the Admin Area appear:






    Session Hijacked:






    Cybersecurity solutions for small businesses.

    info@sevenlayers.com
    877.468.0911

    © 2021 Seven Layer Networks, Inc. | All rights reserved.