[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5154B488.2030604@vulnerability-lab.com>
Date: Thu, 28 Mar 2013 22:22:16 +0100
From: Vulnerability Lab <research@...nerability-lab.com>
To: full-disclosure@...ts.grok.org.uk
Subject: MailOrderWorks v5.907 - Multiple Web
Vulnerabilities
Title:
======
MailOrderWorks v5.907 - Multiple Web Vulnerabilities
Date:
=====
2013-01-02
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=798
VL-ID:
=====
796
Common Vulnerability Scoring System:
====================================
4.5
Introduction:
=============
Mail order management and stock control is easy with MailOrderWorks. MailOrderWorks (aka MOW) is an easy to use mail order
software and stock control system that supports multiple users, but is also ideal for single person companies too. Our software
allows you and your staff to access the same information, at the same time, from anywhere - even if you`re not in the same office
or building. It`s affordable, easy to use, allows integration and is easily expandable for more users. It`s free to try too.
(Copy of the Vendor Homepage: http://www.mailorderworks.co.uk/index.php )
Abstract:
=========
The Vulnerability-Laboratory Research Team discovered multiple web vulnerabilities in MailOrderWorks v5.907, Mail order management application.
Report-Timeline:
================
2012-12-26: Public Disclosure
Status:
========
Published
Affected Products:
==================
2Dmedia
Product: MailOrderWorks 5.907
Exploitation-Technique:
=======================
Remote
Severity:
=========
Medium
Details:
========
Multiple persistent web vulnerabilities are detected in the MailOrderWorks v5.907, Mail order management application.
The vulnerability allows an attacker to inject own malicious script code in the vulnerable modules on application side (persistent).
The vulnerabilities mainly exist in the create document/print module. The module doesn`t validate the file context when processing to create.
For example, if we are creating a products summary, the print module(vulnerable) doesn`t check the products titles, and creates the document
with the injected malicious code inside.
1.1
The first vulnerability is located in the `dispatch order` module. The attacker can create an order by injecting the malicious code in the
vulnerable customer parameters which are firstname, lastname, custom A1 and custom A2. For the malicious code to get executed, the target user
should go to `dispatch order` module `Open Batch screen` and then click `start`. The output file executes the malicious script code while
creating the malicious order via add.
1.2
The second vulnerability is located in the `reports and exports` module. The attacker can create an order injecting the vulnerable parameters
in it. The malicious code will be executed when the user choose the orders and create a report about them. The vulnerability also can be
executed from creating a report about the products. The attacker can create a product with injecting malicious code in the vulnerable
parameters which are SKU, Title and Group. When the user create a report about the products, the malicious code will be executed out of the
context from the report file
1.3
The persistent input validation vulnerability is located in the `Create/View issue` in the show/add orders modules. The attacker can
inject malicious codes in different vulnerable parameters which are Reason/fault, Resolution, Issue Notes and Order notes. Whenever the user
clicks on `print issue document` a file will be generated and it includes the malicious codes where it gets executed.
1.4
The final persistent cross-site scripting vulnerability is ver critical because it gets injected in every file that is being generated from
the MailOrderWorld(MOW). The vulnerability is located in the settings of the application where the attacker can inject a malicious code inside
the company profiles in the vulnerable fields which are, Company Name and Address. Whenever a user generates any page, the malicious code will
be executed because the fields: `company name` and `company address` are included in every page that is generated by MOW.
The vulnerability can be exploited with privileged application user account and low or medium required user interaction.
Successful exploitation of the vulnerability result in persistent/non-persistent session hijacking, persistent/non-persistent
phishing, external redirect, external malware loads and persistent/non-persistent vulnerable module context manipulation.
Vulnerable Service(s):
[+] MailOrderWorks (5.907)
Vulnerable Section(s):
[+] New Order
[+] Add new Product
[+] View Orders
[+] Settings
Vulnerable Module(s):
[+] Customer
[+] Add new Product
[+] View Orders => Done => Create/View Issue
[+] Company Settings
Vulnerable Parameter(s):
[+] [Name] - [Mobile/Work] - [Custom A1] - [Custom A2] - [Custom B] - [Email]
[+] [SKU] - [Title] - [Group]
[+] [Reason/fault] - [Resolution] - [Issue Notes] - [Order notes]
[+] [Company name] - [Address] - [Document Title] - [Details/Message]
Affected Module(s):
[+] dispatch order > Open batch screen > Start
[+] Reports and Exports > [Products] - [Dispatch]
[+] View Orders > Done > Create/View Issue > Print issue Document
[+] Any document Generated by MOW
Proof of Concept:
=================
The persistent input validation web vulnerabilities can be exploited by remote attackers with low or medium required user interaction and
low privileged application user account. For demonstration or reproduce ...
#1
Vulnerable Module(s): New Order => [Name] - [Mobile/Work] - [Custom A1] - [Custom A2] - [Custom B] - [Email]
Affected Module(s): dispatch order => open batch screen => start
Code Review:
<div id="container">
<div id="tl">
<h1>Sales Invoice</h1>
<dl style="padding-left: 12px; padding-top: 8px;">
<dt>Invoice No.</dt>
<dd>1004</dd>
<dt>Order Date</dt>
<dd>12/24/2012</dd>
<dt>Custom B1</dt>
<dd>[PERSISTENT INJECTED SCRIPT CODE!]</dd>
<dt>Custom B2</dt>
<dd>[PERSISTENT INJECTED SCRIPT CODE!]</dd>
</dl>
</div>
<div id="tr">
<img src="vlabs_top.png" width="223" height="67" align="right" style="padding-left: 10px;" />
<div style="font-size: 13px; font-weight: bold; padding-bottom: 3px; padding-top: 7px;">vlabs</div>
<div style="padding-left: 12px;">Example Unit<BR>Works Business Park<BR>Mail Order Road<BR>County<BR>AB1 2BC</div>
<div style="padding-top: 8px; padding-left: 12px; clear: both;">Phone: (edit in settings)<BR>Email:
(edit in settings)<BR>Web: (edit in settings)<BR>Company No. (edit in settings), VAT Reg No. (edit in settings)</div>
</div>
<div style="clear: both; padding-top: 10px;">
<div id="delivery">
<h3>Deliver To</h3>
<div class="address">
Mr [PERSISTENT INJECTED SCRIPT CODE!] <br />
</div>
</div>
<div id="billing">
<h3>Invoice To</h3>
<div class="address">
Mr"><[PERSISTENT INJECTED SCRIPT CODE!]")></iframe><br />
</div>
</div>
<div id="customer">
<dl>
<dt>Customer</dt>
<dd>[PERSISTENT INJECTED SCRIPT CODE!]</dd>
<dt>Account</dt>
<dd>568-3671</dd>
<dt>Custom A1</dt>
<dd>[PERSISTENT INJECTED SCRIPT CODE!]</dd>
<dt>Custom A2</dt>
<dd>[PERSISTENT INJECTED SCRIPT CODE!]</dd>
</dl>
</div>
</div>
<div id="items">
<table width="100%" border="0" cellpadding="0" cellspacing="0" class="items">
<tr>
<th width="12%" nowrap="nowrap">SKU </th>
<th width="48%" nowrap="nowrap">Description </th>
<th width="7%" nowrap="nowrap"><div align="right"> Qty</div></th>
<!-- RATESTART --><th width="10%" nowrap="nowrap"><div align="right"> Rate</div></th><!-- RATEEND -->
<th width="11%" nowrap="nowrap"><div align="right"> Unit Price</div></th>
<th width="12%" nowrap="nowrap"><div align="right"> Line Total</div></th>
</tr>
</table>
</div>
</div>
<div id="summary">
#2
Vulnerable Module(s): Add new Product => [SKU] - [Title] - [Group]
Affected Module(s): Reports and Exports => [Products] - [Dispatch]
Code Review:
<TR>
<TH noWrap>SKU</TH>
<TH noWrap>Title</TH>
<TH noWrap>Spec</TH>
<TH noWrap>Group</TH>
<TH noWrap>Retail Price</TH>
<TH noWrap>Available</TH>
<TH noWrap>In Stock</TH>
<TH noWrap>Pending</TH>
<TH noWrap>Allocated</TH>
<TH noWrap>Low Level</TH>
<TH noWrap>Cost</TH>
<TH noWrap>Supplier</TH>
<TH noWrap>Sold</TH>
<TH noWrap>Last Sold</TH>
<TH noWrap>Stock First Arrival</TH></TR>
<TR>
<TD vAlign=3Dtop>[PERSISTENT INJECTED SCRIPT CODE!]'=20
src=3D"res://ieframe.dll/dnserrordiagoff_webOC.htm"></IFRAME></TD>
<TD vAlign=3Dtop>[PERSISTENT INJECTED SCRIPT CODE!]'=20
src=3D"res://ieframe.dll/dnserrordiagoff_webOC.htm"></IFRAME></TD>
<TD vAlign=3Dtop>[PERSISTENT INJECTED SCRIPT CODE!]'=20
src=3D"res://ieframe.dll/dnserrordiagoff_webOC.htm"></IFRAME></TD>
<TD vAlign=3Dtop>[PERSISTENT INJECTED SCRIPT CODE!]'=20
src=3D"res://ieframe.dll/dnserrordiagoff_webOC.htm"></IFRAME></TD>
<TD vAlign=3Dtop>=A31.00</TD>
<TD vAlign=3Dtop>10</TD>
<TD vAlign=3Dtop>10</TD>
<TD vAlign=3Dtop>0</TD>
<TD vAlign=3Dtop>0</TD>
<TD vAlign=3Dtop>0</TD>
<TD vAlign=3Dtop>=A312.00</TD>
<TD vAlign=3Dtop> </TD>
<TD vAlign=3Dtop> </TD>
<TD vAlign=3Dtop> </TD>
<TD vAlign=3Dtop>12/24/2012</TD></TR>
<TR>
<TD vAlign=3Dtop>BBA123G</TD>
<TD vAlign=3Dtop>Angled Building Block</TD>
#3
Vulnerable Module(s): View Orders => [Reason/fault] - [Resolution] - [Issue Notes] - [Order notes]
Affected Module(s): Reports and Exports => View Orders => Done => Create/View Issue => print issue Document
Code Review:
<TBODY>
<TR>
<TD vAlign=3Dtop width=3D"32%">
<P><STRONG>Fault Description</STRONG></P>
<P>Created: 12/25/2012</P></TD>
<TD vAlign=3Dtop width=3D"68%">
=
[PERSISTENT INJECTED SCRIPT CODE!]</TD></TR></TBODY></TABLE></TD></TR>
<TR>
<TD> </TD></TR>
<TR>
<TD>
<TABLE=20
style=3D"BORDER-BOTTOM: #000000 1px solid; =
BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid; =
BORDER-RIGHT: #000000 1px solid"=20
border=3D0 cellSpacing=3D10 cellPadding=3D8 =
width=3D"100%">
<TBODY>
<TR>
<TD vAlign=3Dtop width=3D"32%">
<P><STRONG>Resolution</STRONG></P>
<P>Resolved: </P></TD>
<TD vAlign=3Dtop width=3D"68%">
=
[PERSISTENT INJECTED SCRIPT CODE!]</TD></TR></TBODY></TABLE></TD></TR>
<TR>
<TD> </TD></TR>
<TR>
<TD>
<TABLE=20
style=3D"BORDER-BOTTOM: #000000 1px solid; =
BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid; =
BORDER-RIGHT: #000000 1px solid"=20
border=3D0 cellSpacing=3D10 cellPadding=3D8 =
width=3D"100%">
<TBODY>
<TR>
<TD vAlign=3Dtop width=3D"32%"><STRONG>Fault =
Report Notes=20
</STRONG></TD>
<TD vAlign=3Dtop width=3D"68%">
[PERSISTENT INJECTED SCRIPT CODE!]</TD></TR></TBODY></TABLE></TD></TR>
<TR>
<TD> </TD></TR>
<TR>
<TD>
<TABLE=20
style=3D"BORDER-BOTTOM: #000000 1px solid; =
BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid; =
BORDER-RIGHT: #000000 1px solid"=20
border=3D0 cellSpacing=3D10 cellPadding=3D8 =
width=3D"100%">
<TBODY>
<TR>
<TD vAlign=3Dtop width=3D"32%"><STRONG>Order Notes =
</STRONG></TD>
<TD vAlign=3Dtop width=3D"68%">
[PERSISTENT INJECTED SCRIPT CODE!]</TD></TR></TBODY></TABLE></TD></TR>
<TR>
<TD> </TD></TR>
<TR>
<TD> </TD></TR></TBODY></TABLE></TD></TR>
<TR>
<TD><IMG=20
=
src=3D"file:///C:/Documents%20and%20Settings/storm/Local%20Settings/Temp/=
vlabs_1x1.jpg"=20
width=3D1 height=3D150></TD>
<TD=20
vAlign=3Dtop> </TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></=
BODY></HTML>
...
Vulnerable Module(s): Settings => [Company name] - [Address] - [Document Title] - [Details/Message]
Affected Module(s): all generated files by MOW
Code Review:
From: <Saved by Windows Internet Explorer 8>
Subject: [PERSISTENT INJECTED SCRIPT CODE!](MailOrderWorks)
Date: Tue, 25 Dec 2012 11:59:57 -0800
MIME-Version: 1.0
Content-Type: multipart/related;
type="text/html";
boundary="----=_NextPart_000_0000_01CDE297.5C26ACF0"
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
class=3Dstyle20><BR></SPAN></STRONG></DIV></TD>
<TD vAlign=3Dtop width=3D"50%">
<DIV align=3Dright>
<P><IMG=20
=
src=3D""=20
width=3D323 height=3D99><BR><BR><STRONG>
[PERSISTENT INJECTED SCRIPT CODE!]</STRONG><BR>
[PERSISTENT INJECTED SCRIPT CODE!]
<P></P></DIV></TD></TR></TBODY></TABLE></DIV></TD></TR>
<TR>
<TD vAlign=3Dtop>
<TABLE border=3D0 cellSpacing=3D0 cellPadding=3D0 width=3D"100%">
<TBODY>
<TR>
<TD width=3D1><IMG=20
=
src=3D""=20
width=3D1 height=3D450></TD>
Risk:
=====
The security risk of the persistent input validation web vulnerabilities are estimated as medium(+).
Credits:
========
Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) [storm@...nerability-lab.com] [iel-sayed.blogspot.com]
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
Contact: admin@...nerability-lab.com - support@...nerability-lab.com - research@...nerability-lab.com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@...nerability-lab.com or support@...nerability-lab.com) to get a permission.
Copyright © 2013 | Vulnerability Laboratory
--
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@...nerability-lab.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists