ModernBill multiple SQL inj. vuln.
###############################################
Vuln. discovered by : r0t
Date: 18 april 2006
vendor:www.moderngigabyte.com
product link:
www.moderngigabyte.net/modernbill/index.htm?ref=home_of_modernbill
affected versions:4.3.2 and previous
orginal advisory:
http://pridels.blogspot.com/2006/04/modernbill-multiple-sql-inj-vuln.html
###############################################
Vuln. description:
ModernBill contains a flaw that allows a remote sql injection
attacks.Inputpassed to the "id"" parameters in "
user.php" isn't properly sanitised before being used in a SQL query. This
can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
examples:
/user.php?op=menu&tile=mysupport&type=
view&id=1[SQL]
/user.php?op=menu&tile=mysupport&type=
details&id=(existing id number)[SQL]
/user.php?op=client_invoice&db_table=
client_invoice&tile=myinvoices&print=
&id=invoice_id|2869[SQL]
ModernBill contains a flaw that allows a remote sql injection
attacks.Inputpassed to the "WHERE+todo_status" "where" "order"
"WHERE+call_status"
parameters in "admin.php" isn't properly sanitised before being used in a
SQL query. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
examples:
/admin.php?op=view&db_table=todo_list&tile=
todo&where=WHERE+todo_status=[SQL]
/admin.php?op=view&db_table=todo_list&tile=
todo&where=[SQL]
/admin.php?op=view&db_table=todo_list&where=
&order=[SQL]
/admin.php?op=view&db_table=support_desk&tile=
support_desk_list&where=WHERE+call_status=[SQL]
###############################################
notice: to sucessfull exploitation (in 2-th case) attacker must have "admin"
premissions.
btw,there is many more mistakes/vulns in admin panel , but as you understand
if attacker will have admin premissions he will not need to exploit those
vulns.
Also, it was tested on ModernBill Version 4.3.2:B-2:PR:Z:35 , but i think
that 5.0 RC1 version have same vuln.
###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/