NolaPro Enterprise 4.0.5538 Cross Site Scripting / SQL Injection

Type packetstorm
Reporter ekse
Modified 2010-05-03T00:00:00


                                            `Advisory : CORELAN-10-035  
Disclosure date : May 1st, 2010  
00 : Vulnerability information  
Product : NolaPro Enterprise  
Version : 4.0.5538  
Vendor : Noguska LLC   
URL :  
Platform : Windows (PHP/MySQL)  
Type of vulnerabilities : SQL Injection, Cross-Site Scripting, Information Disclosure  
Risk rating : Medium  
Issue fixed in version : 4.0.5720   
Vulnerability discovered by : ekse  
Corelan Team :  
01 : Vendor description of software  
>From the vendor website:  
"NolaPro is a premium, completely free web-based accounting suite. It includes AP, AR,  
Payroll, Order Tracking, Inventory Control, POS, B2B, and an Ecom Shopping Cart."  
02 : Vulnerability details  
Corelan Team has found 3 types of vulnerabilities in NolaPro :  
- Cross-Site Scripting (XSS)  
- SQL Injection  
- Information Disclosure  
Cross-Site Scripting  
We have found 3 instances of Cross-Site Scripting in Nolapro, one of which does not   
require authentication. Please note that since Cross-Site Scripting is a client side  
attack, the need for authentication does not reduce the risk and is indicated sollely  
to facillitate reproducing the bugs.  
XSS #1  
Script: example.php Parameter: file Request: POST AuthRequired?: No  
XSS #2   
Script: sidemenu.php Parameter: menutitle Request: GET AuthRequired?: Yes  
XSS #3  
Script: nporderitemremote.php Parameter: linenum Request: GET AuthRequired?: Yes  
We provide proof-of-concept for these bugs. These examples are inoffensive and will only  
display an alert box in the browser.  
XSS #1  
Because this is a POST request, an easy way to reproduce the bug is to input the   
following string on the example.php page :  
XSS #2  
XSS #3  
SQL Injection  
We found one instance of SQL Injection in NolaPro. The vulnerable script is  
invitemlstreorder.php and the parameter is vendorid.  
To reproduce the bug, first input the value 1 on the invitemlstreorder.php page in the  
box for the ID value. The server should respond almost instantly. Now input the following   
value :  
1 or BENCHMARK(2500000,MD5(1))  
The server should take some time to respond (if the delay is too short, increase the   
2500000 value).  
Information Disclosure  
The checkfile.php script gives indication on the existence of files on the server. This  
information could be used by an attacker to gain information on the server and perform a  
targeted attack. Access to this script should require authentication and be accessible to  
administrators only.  
03 : Vendor communication  
april 18th 2010 : vendor contacted  
april 19th 2010 : vendor replied  
april 21th 2010 : new version available  
may 1st 2010 : public disclosure  
Corelan Team wants to thank Noguska for their great response and handling of the issues