lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 9 Dec 2012 18:31:14 GMT
From: tommccredie@...il.com
To: bugtraq@...urityfocus.com
Subject: SimpleInvoices 2011.1  Cross-Site-Scripting (XSS)
 Vulnerabilities  CVE-2012-4932


Overview
SimpleInvoices 2011.1 is vulnerable to Cross-site Scripting (XSS).

Software Description

Simple Invoices is a free, open source, web based invoicing system that you can install on your server/pc or have hosted by one of our services providers.

Vulnerability Overview

The vulnerabilities POC are as follows:

Reflective Cross-Site-Scripting (XSS)

[http://]127.0.0.1/simpleinvoices/index.php?module=invoices&view=manage&having=%3C/script%3E%3Cscript%3Ealert%28%27POC%20XSS%27%29;%3C/script%3E%3Cscript%3E

Persistent Cross-Site-Scripting (XSS)

Steps to replicate:

Add User

1) Navigate to the following URL:

http://127.0.0.1/simpleinvoices/index.php?module=user&view=add

2) Add the following javascript to the Email field:

<script>alert(‘POC XSS’)</script>

3) Click ‘Save’

4) Application will redirect to Users page where javascript will execute.

Add Customer

1) Navigate tot he following URL:

http://127.0.0.1/simpleinvoices/index.php?module=customers&view=add

2) Add the following javascript to the Customer Name field:

<script>alert(‘POC XSS’)</script>

3) Fill out the remaining compulsary fields and click ‘Save’

4) Application will redirect tot he Customers page and javascript will execute.

5) This action also breaks the application logic in the fact that you cannot delete the created ‘User’ in the application, deletion must be carried out manually from the database.

Add Biller

1) Navigate to the following URL:

http://127.0.0.1/simpleinvoices/index.php?module=billers&view=add

2) Add a legitimate Biller Name such as ‘Test’

3) Add the following javascript to the ‘Street address’, ‘Street address 2&#8242;, ‘City’, ‘Zip code’, ‘State’, ‘Country’, ‘Mobile Phone’, ‘Phone’, ‘Fax’, ‘Email’, ‘PayPal business name’, ‘PayPal notify url’, ‘PayPal return url’, ‘Eway customer ID’, ‘Custom field 1&#8242;, ‘Custom field 2&#8242;, ‘Custom field 3&#8242; and ‘Custom field 4&#8242; fields:

<script>alert(‘POC XSS’)</script>

4) Click ‘Save’

5) Application will redirect to the Billers page and the javascript will execute once.

6) Click the ‘View Test’ icon and the application will execute the javascript from each of the vulnerable fields, totalling 18 alerts.

Add Invoice

1) Navigate to the following URL:

http://127.0.0.1/simpleinvoices/index.php?module=invoices&view=itemised

2) Choose the recently created Customer ‘<script>alert(‘POC XSS’)</script>’

3) Enter any text into the remaining comulsary fields and click ‘Save’

3) Click ‘Invoices’ from sub-menu

4) Javascript will execute in browser.

Process Payment

1) Navigate to the following URL:

http://127.0.0.1/simpleinvoices/index.php?module=payments&view=process&op=pay_invoice

2) Choose the recently created invoice ‘<script>alert(‘POC XSS’)</script>’

3) Enter the following into the ‘Notes’ field:

<script>alert(‘POC XSS’)</script>

4) The application will redirect and the javascript will execute in the browser.

Payment Types

1) Navigate to the following URL:

http://127.0.0.1/simpleinvoices/index.php?module=payment_types&view=manage

2) Add the following code in the ‘Payment type description’ field:

<script>alert(‘POC XSS’)</script>

3) Click ‘Save’

4) The application will redirect to the ‘Payment Types’ page and the javascript will execute in the browser

5) This action also breaks the application logic in the fact that you cannot delete the created ‘Payment Type’ in the application, deletion must be carried out manually from the database.

Invoice Preferences

1) Navigate to the following URL:

http://127.0.0.1/simpleinvoices/index.php?module=preferences&view=add

2) Add the following code in the ‘Description’ field:

<script>alert(‘POC XSS’)</script>

3) Enter any text into the remaining comulsary fields and click ‘Save’

4) The application will redirect to the ‘Invoice Preferences’ page and the javascript will execute in the browser

5) This action also breaks the application logic in the fact that you cannot delete the created ‘Invoice Preference’ in the application, deletion must be carried out manually from the database.

Manage Products

1) Navigate to the following URL:

http://127.0.0.1/simpleinvoices/index.php?module=products&view=add

2) Add the following code in the ‘Description’ field:

<script>alert(‘POC XSS’)</script>

3) Enter any text into the remaining comulsary fields and click ‘Save’

4) The application will redirect to the ‘Manage Products’ page and the javascript will execute in the browser

5) This action also breaks the application logic in the fact that you cannot delete the created ‘Product’ in the application, deletion must be carried out manually from the database.

Tax Rates

1) Navigate to the following URL:

http://127.0.0.1/simpleinvoices/index.php?module=tax_rates&view=add

2) Add the following code in the ‘Description’ field:

<script>alert(‘POC XSS’)</script>

3) Enter any text into the remaining comulsary fields and click ‘Save’

4) The application will redirect to the ‘Tax Rates’ page and the javascript will execute in the browser

5) This action also breaks the application logic in the fact that you cannot delete the created ‘Tax Rate’ in the application, deletion must be carried out manually from the database.

 

Vulnerability Timeline

18-9-12 – Developer contacted

18-9-12 – CVE-2012-4932 reserved

??-10-12 – Developer release of stable-2012-1-CIS3000 - https://github.com/simpleinvoices/simpleinvoices/tree/stable-2012-1-CIS3000

9-12-12 – Mitre advised to close CVE-2012-4932

Powered by blists - more mailing lists