CBMS: XSS and SQL Injection holes

[Ulf Harnhammar <ulfh () update uu se>]

CBMS: XSS and SQL Injection holes


PROGRAM: CBMS
VENDOR: Voxel Dot Net, Inc. <cbms () voxel net>
HOMEPAGE: http://www.voxel.net/projects/cbms/
VULNERABLE VERSIONS: 0.7 (and possibly earlier versions as well)
LOGIN REQUIRED: yes
SEVERITY: high
VERSION OF THIS ADVISORY: 1.1


DESCRIPTION:

"The CBMS is a full featured client/billing management system designed from
the ground up to cater specifically to hosting providers. The software is a
PHP script package which uses mysql. Notable features include automated
invoicing, client search, multiple customizable packages for clients, and
client viewable real time invoice."
(direct quote from the program's project page at Freshmeat)

It is published under the terms of the Voxel Public License.


SECURITY HOLES:

CBMS is littered with XSS (Cross-site Scripting) and SQL Injection holes.
Whether you're looking at a client, working with invoices or editing client
packages, those holes exist almost everywhere. The code doesn't really do
anything to stop it either - it just allows HTML code to be posted and
malicious data to be injected into SQL statements.

One obvious example of an XSS hole is the first name field on the Add a new
client screen, a field which is shown without the htmlspecialchars()
treatment in the client list. One example of an SQL Injection hole can be
found in the dltclnt.php script, which wipes all clients if you go to
dltclnt.php?choice=yes&idnum=clientid


COMMUNICATION WITH VENDOR:

The vendor was contacted the first time on the 19th of May. No reply. They
were contacted again on the 24th of May. This time they replied that they were
working on a fixed version, which still hasn't been released.


// Ulf Harnhammar
ulfh () update uu se