Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12276
HistoryApr 18, 2006 - 12:00 a.m.

ModernBill multiple SQL inj. vuln.

2006-04-1800:00:00
vulners.com
9
JSON

ModernBill multiple SQL inj. vuln.

###############################################
Vuln. discovered by : r0t
Date: 18 april 2006
vendor:www.moderngigabyte.com
product link:
www.moderngigabyte.net/modernbill/index.htm?ref=home_of_modernbill
affected versions:4.3.2 and previous
orginal advisory:
http://pridels.blogspot.com/2006/04/modernbill-multiple-sql-inj-vuln.html
###############################################

Vuln. description:

  1. SQL injection vuln. with user prem.

ModernBill contains a flaw that allows a remote sql injection
attacks.Inputpassed to the "id"" parameters in "
user.php" isn't properly sanitised before being used in a SQL query. This
can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:

/user.php?op=menu&tile=mysupport&type=
view&id=1[SQL]

/user.php?op=menu&tile=mysupport&type=
details&id=(existing id number)[SQL]

/user.php?op=client_invoice&db_table=
client_invoice&tile=myinvoices&print=
&id=invoice_id|2869[SQL]

  1. SQL injection vuln. with admin prem.

ModernBill contains a flaw that allows a remote sql injection
attacks.Inputpassed to the "WHERE+todo_status" "where" "order"
"WHERE+call_status"
parameters in "admin.php" isn't properly sanitised before being used in a
SQL query. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.

examples:

/admin.php?op=view&db_table=todo_list&tile=
todo&where=WHERE+todo_status=[SQL]

/admin.php?op=view&db_table=todo_list&tile=
todo&where=[SQL]

/admin.php?op=view&db_table=todo_list&where=
&order=[SQL]

/admin.php?op=view&db_table=support_desk&tile=
support_desk_list&where=WHERE+call_status=[SQL]

###############################################
notice: to sucessfull exploitation (in 2-th case) attacker must have "admin"
premissions.
btw,there is many more mistakes/vulns in admin panel , but as you understand
if attacker will have admin premissions he will not need to exploit those
vulns.
Also, it was tested on ModernBill Version 4.3.2:B-2:PR:Z:35 , but i think
that 5.0 RC1 version have same vuln.
###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

JSON