by r0t,der4444,cembo,VietMafia

Friday, November 25, 2005

EZ Invoice Inc™ v 2.0 SQL inj.

EZ Invoice Inc™ v 2.0 SQL inj.
Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:http://www.ezinvoiceinc.com/
affected version:v 2.0 and prior



Product description:
This software is the easiest way create and manage invoices online with just the click of the mouse from anywhere in the world. All you need is a website with internet connection. EZI was created for the small business person: mom and pop shops, sole proprietors, small graphic studios, online start ups, solopreneurs, virtual assistants and more. EZI features a client lounge where your clients can login to view, print and even pay their invoices online by Credit Card (PayPal integration). Created by a Graphic Designer the software looks simple therefore is easy to use and learn!

Vuln. Description:
Input passed to the "i" parameter in "invoices.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/ezi/invoices.php?i=[SQL]

Solution:

EZ Invoice, Inc™ has a patch available. Please email support@ezinvoiceinc.com and EZI
will email you the patch to fix this small issue.

6 Comments:

Anonymous Anonymous told...

fixed...

2:52 AM

 
Anonymous Admin told...

If you need a patch EZI has one available to customers who purchased version 1 and 2. Just email them at support@ezinvoiceinc.com

All new versions have been fixed and updated...

2:58 AM

 
Anonymous Bob told...

Great fix, thanks!
Love the software... Soo easy... ;-)

9:05 AM

 
Anonymous Anonymous told...

RoT, Thanks for finding that small error in the program. I emailed the support@ezinvoiceinc.com and they sent me the patch instantly. Though it wasnt a big threat I appreciate you finding it...
James C -

6:45 PM

 
Blogger Credit Center told...

Hi thanks for your blog, I liked it! I also have a blog/site about credit cards for bad credit that covers credit cards for bad credit related stuff. Please feel free to visit.

7:03 PM

 
Anonymous cash flow told...

Hi Blogger, I was just blog surfing and found you! Wow, I really like this one.
It’s such a pleasure to read your post …. Interesting! I was over at another site

looking at factor

and they didn't go into as much detail as you, but nonetheless interesting.

2:17 AM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew