by r0t,der4444,cembo,VietMafia

Friday, November 25, 2005

Clientexec 2.x Multiple SQL inj.

Clientexec 2.x Multiple SQL inj.
Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:http://www.clientexec.com/
affected version: Tested on 2.3 ,but also newest versions also can have this vuln.

Product description:
ClientExec is a tool to help web hosts manage and support their clients efficiently. Unlike many client management packages, ClientExec does not try to be all things to all people; you are in control. We want it to be a natural addition to your business, a powerful tool you use, not get lost within. Top features include power customer management, recurring invoicing, integrated helpdesk and tons of 3rd party payment processor support. Autowithdrawal for authorize.net and cdgcommerce are accounts now integrated into CE

Vuln. Description:
Input passed to the "billshowid" "billdetailid" "fuse" "frmClientID" parameters isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:
clientexec/index.php?action=0&billdetailid=26&billshowid=[SQL]
clientexec/index.php?action=0&billdetailid=[SQL]
clientexec/index.php?fuse=[SQL]
clientexec/index.php?billshowid=[SQL]
clientexec/index.php?fuse=3&frmClientID=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

2 Comments:

Anonymous Keith told...

The above mentioned advisory has been corrected, and a patch for version 2.5.0 - 2.5.2 has been released for download. The patch can be found at http://www.clientexec.com/downloads/clientexec_securitypatch_2.5.zip

If you have any other concern regarding this, please visit our forums at http://www.clientexec.com/forum .

The Clientexec Team

10:36 PM

 
Blogger r0t told...

Its good to hear that you have realesed patch:)
In other case , i will not visit your board to report something cauz its not my bussines, but yours.
Be glad, that i was reported and not used before.

1:03 AM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew