Lucene search
+L

NetArt Media Pharmacy System 2.0 XSS / SQL Injection

🗓️ 20 Jul 2012 00:00:00Reported by Antu SanadiType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 23 Views

NetArt Media Pharmacy System 2.0 SQL Injection and XSS Vulnerabilitie

Code
`##############################################################################  
#  
# Title : NetArt Media Pharmacy System SQL Injection and Cross-site  
# Scripting Vulnerabilities  
# Author : Antu Sanadi SecPod Technologies (www.secpod.com)  
# Vendor : http://www.netartmedia.net/  
# Advisory : http://secpod.org/blog/?p=513  
# : http://secpod.org/advisories/SecPod_NetArt_Media_Pharmacy_System_SQLi_and_XSS_Vuln.txt  
# Software : NetArt Media Pharmacy System Version 2.0  
# Date : 29/06/2012  
#  
##############################################################################  
  
SecPod ID: 1045 02/02/2012 Issue Discovered  
19/06/2012 Vendor Notified  
No Response from vendor  
18/07/2012 Advisory Released  
  
Class: SQL Injection/Cross-site Scripting Severity: High  
  
  
Overview:  
---------  
NetArt Media Pharmacy System SQL Injection and Cross-site Scripting  
Vulnerabilities.  
  
  
Technical Description:  
----------------------  
SQL Injection and Cross-site Scripting Vulnerabilities are present in  
NetArt Media Pharmacy System as it fails to sanitise user-supplied input.  
  
i) Input passed via the 'search' parameter in 'index.php' is not properly  
verified before using. This may allow an attacker to steal cookie-based  
unauthenticated credentials and launch further attacks.  
  
ii) Input passed via the 'Email' and 'Password' parameter in  
'/pharma/ADMIN/loginaction.php' page is not properly verified before  
being used in an SQL query. This can be exploited to manipulate SQL  
queries by injecting arbitrary SQL code. This may allow an unauthenticated  
attacker to launch further attacks.  
  
These vulnerabilities have been tested on NetArt Media Pharmacy System v2.0,  
Other versions may also be affected.  
  
  
Impact:  
--------  
Successful exploitation could allow an attacker to execute arbitrary HTML  
code in a user's browser session in the context of a vulnerable application  
or to manipulate SQL queries by injecting arbitrary SQL code.  
  
  
Affected Software:  
------------------  
NetArt Media Pharmacy System v2.0  
  
  
Tested on,  
NetArt Media Pharmacy System v2.0  
  
  
References:  
-----------  
http://secpod.org/blog/?p=513  
http://www.netartmedia.net/pharmacysystem  
http://secpod.org/advisories/SecPod_NetArt_Media_Pharmacy_System_SQLi_and_XSS_Vuln.txt  
  
  
Proof of Concept:  
-----------------  
POC1:  
POST /pharma1/index.php HTTP/1.1  
  
Host: SERVER_IP  
User-Agent: XSS-TEST  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 70  
  
Post Data:  
----------  
mod=products&search=%3Cscript%3Ealert%28%27123%27%29%3B%3C%2Fscript%3E  
  
POC2:  
  
POST /pharma2/ADMIN/loginaction.php HTTP/1.1  
  
Host: SERVER_IP  
User-Agent:SQL-INJECTION  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 32  
  
Post Data:  
----------  
Email=%27&Password=%27&x=32&y=10  
  
Solution:  
---------  
Fix not available  
  
  
Risk Factor:  
-------------  
CVSS Score Report:  
ACCESS_VECTOR = NETWORK  
ACCESS_COMPLEXITY = LOW  
AUTHENTICATION = NONE  
CONFIDENTIALITY_IMPACT = PARTIAL  
INTEGRITY_IMPACT = PARTIAL  
AVAILABILITY_IMPACT = NONE  
EXPLOITABILITY = PROOF_OF_CONCEPT  
REMEDIATION_LEVEL = UNAVAILABLE  
REPORT_CONFIDENCE = CONFIRMED  
CVSS Base Score = 6.4 (High) (AV:N/AC:L/Au:N/C:N/I:P/A:N)  
  
Credits:  
--------  
Antu Sanadi of SecPod Technologies has been credited with the discovery of this  
vulnerabilities.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation