OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ulf Harnhammar (ulfhupdate.uu.se)
Date: Thu Jun 06 2002 - 18:26:40 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    CBMS: XSS and SQL Injection holes

    PROGRAM: CBMS
    VENDOR: Voxel Dot Net, Inc. <cbmsvoxel.net>
    HOMEPAGE: http://www.voxel.net/projects/cbms/
    VULNERABLE VERSIONS: 0.7 (and possibly earlier versions as well)
    LOGIN REQUIRED: yes
    SEVERITY: high
    VERSION OF THIS ADVISORY: 1.1

    DESCRIPTION:

    "The CBMS is a full featured client/billing management system designed from
    the ground up to cater specifically to hosting providers. The software is a
    PHP script package which uses mysql. Notable features include automated
    invoicing, client search, multiple customizable packages for clients, and
    client viewable real time invoice."
    (direct quote from the program's project page at Freshmeat)

    It is published under the terms of the Voxel Public License.

    SECURITY HOLES:

    CBMS is littered with XSS (Cross-site Scripting) and SQL Injection holes.
    Whether you're looking at a client, working with invoices or editing client
    packages, those holes exist almost everywhere. The code doesn't really do
    anything to stop it either - it just allows HTML code to be posted and
    malicious data to be injected into SQL statements.

    One obvious example of an XSS hole is the first name field on the Add a new
    client screen, a field which is shown without the htmlspecialchars()
    treatment in the client list. One example of an SQL Injection hole can be
    found in the dltclnt.php script, which wipes all clients if you go to
    dltclnt.php?choice=yes&idnum=clientid

    COMMUNICATION WITH VENDOR:

    The vendor was contacted the first time on the 19th of May. No reply. They
    were contacted again on the 24th of May. This time they replied that they were
    working on a fixed version, which still hasn't been released.

    // Ulf Harnhammar
    ulfhupdate.uu.se