by r0t,der4444,cembo,VietMafia

Tuesday, April 18, 2006

ModernBill multiple SQL inj. vuln.

###############################################
Vuln. discovered by : r0t
Date: 18 april 2006
vendor:www.moderngigabyte.com
product link:www.moderngigabyte.net/modernbill/index.htm?ref=home_of_modernbill
affected versions:4.3.2 and previous
###############################################

Vuln. description:


1. SQL injection vuln. with user prem.

ModernBill contains a flaw that allows a remote sql injection attacks.Input passed to the "id"" parameters in "user.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

examples:

/user.php?op=menu&tile=mysupport&type=
view&id=1[SQL]

/user.php?op=menu&tile=mysupport&type=
details&id=(existing id number)[SQL]

/user.php?op=client_invoice&db_table=
client_invoice&tile=myinvoices&print=
&id=invoice_id|2869[SQL]

2. SQL injection vuln. with admin prem.

ModernBill contains a flaw that allows a remote sql injection attacks.Input passed to the "WHERE+todo_status" "where" "order" "WHERE+call_status" parameters in "admin.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


examples:

/admin.php?op=view&db_table=todo_list&tile=
todo&where=WHERE+todo_status=[SQL]

/admin.php?op=view&db_table=todo_list&tile=
todo&where=[SQL]

/admin.php?op=view&db_table=todo_list&where=
&order=[SQL]

/admin.php?op=view&db_table=support_desk&tile=
support_desk_list&where=WHERE+call_status=[SQL]

###############################################
notice: to sucessfull exploitation (in 2-th case) attacker must have "admin" premissions.
btw,there is many more mistakes/vulns in admin panel , but as you understand if attacker will have admin premissions he will not need to exploit those vulns.
Also, it was tested on ModernBill Version 4.3.2:B-2:PR:Z:35 , but i think that 5.0 RC1 version have same vuln.
###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/

5 Comments:

Anonymous Anonymous told...

From the admin panel executing arbitrary php code is not possible, but only sql attacks.

5:44 AM

 
Blogger r0t told...

yes, and i didnt told that... but SQL inj. vuln. there is alot..

4:19 PM

 
Anonymous Anonymous told...

what is the sql string???

8:35 PM

 
Anonymous Anonymous told...

yeah - v5 is totally different. ALL input is sanitized due to the structure of the system. I've talked with them about that kind of stuff and I've seen how they do "actions".

6:56 PM

 
Blogger r0t told...

I hope that you are right... :)

10:37 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew