[Full-disclosure] CORELAN-10-035 NolaPro Enterprise multiple vulnerabilities



Advisory : CORELAN-10-035
Disclosure date : May 1st, 2010
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-035

00 : Vulnerability information

Product : NolaPro Enterprise
Version : 4.0.5538
Vendor : Noguska LLC
URL : http://www.nolapro.com
Platform : Windows (PHP/MySQL)
Type of vulnerabilities : SQL Injection, Cross-Site Scripting, Information Disclosure
Risk rating : Medium
Issue fixed in version : 4.0.5720
Vulnerability discovered by : ekse
Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/


01 : Vendor description of software

From the vendor website:
"NolaPro is a premium, completely free web-based accounting suite. It includes AP, AR,
Payroll, Order Tracking, Inventory Control, POS, B2B, and an Ecom Shopping Cart."


02 : Vulnerability details

Corelan Team has found 3 types of vulnerabilities in NolaPro :
- Cross-Site Scripting (XSS)
- SQL Injection
- Information Disclosure

Cross-Site Scripting
--------------------

We have found 3 instances of Cross-Site Scripting in Nolapro, one of which does not
require authentication. Please note that since Cross-Site Scripting is a client side
attack, the need for authentication does not reduce the risk and is indicated sollely
to facillitate reproducing the bugs.

XSS #1
Script: example.php Parameter: file Request: POST AuthRequired?: No

XSS #2
Script: sidemenu.php Parameter: menutitle Request: GET AuthRequired?: Yes

XSS #3
Script: nporderitemremote.php Parameter: linenum Request: GET AuthRequired?: Yes
We provide proof-of-concept for these bugs. These examples are inoffensive and will only
display an alert box in the browser.

XSS #1
Because this is a POST request, an easy way to reproduce the bug is to input the
following string on the example.php page :

<script>alert(String.fromCharCode(88,83,83,32,102,111,117,110,100,32,98,121,32,67,111,114,101,108,97,110,32,84,101,97,109));</script>

XSS #2
http://nolapro_server/sidemenu.php?index=1&menutitle=%3Cscript%3Ealert%28String.fromCharCode%2888,83,83,32,102,111,117,110,100,32,98,121,32,67,111,114,101,108,97,110,32,84,101,97,109%29%29;%3C/script%3E&menutitleorig=STR_ORDERS

XSS #3
http://nolapro_server/nporderitemremote.php?pos_mode=1&currency=USD&curdate=2010-04-12&linenum=%3Cscript%3Ealert%28String.fromCharCode%2888,83,83,32,102,111,117,110,100,32,98,121,32,67,111,114,101,108,97,110,32,84,101,97,109%29%29;%3C/script%3E&inventorylocationid=1&customerid=&shiptoid=0

SQL Injection
-------------
We found one instance of SQL Injection in NolaPro. The vulnerable script is
invitemlstreorder.php and the parameter is vendorid.
To reproduce the bug, first input the value 1 on the invitemlstreorder.php page in the
box for the ID value. The server should respond almost instantly. Now input the following
value :

1 or BENCHMARK(2500000,MD5(1))

The server should take some time to respond (if the delay is too short, increase the
2500000 value).

Information Disclosure
----------------------
The checkfile.php script gives indication on the existence of files on the server. This
information could be used by an attacker to gain information on the server and perform a
targeted attack. Access to this script should require authentication and be accessible to
administrators only.

03 : Vendor communication

april 18th 2010 : vendor contacted
april 19th 2010 : vendor replied
april 21th 2010 : new version available
may 1st 2010 : public disclosure

Corelan Team wants to thank Noguska for their great response and handling of the issues
disclosed.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Open-Xchange Security Advisory 2013-03-13
    ... The vendor has chosen responsible full disclosure to publish security issue details. ... Vulnerability Type: Cross Site Scripting ... Internal reference: 24649 ...
    (Bugtraq)
  • Re: Using 0days as part of pen-test?
    ... the client the option to determine how the vendor gets notified. ... vulnerability information you discover during ... The legal issue isn't the disclosure process, you can act as "legal entity" ... security threats until the vendor release a patch. ...
    (Pen-Test)
  • Re: Call to arms - INFORMATION ANARCHY
    ... Its one thing to prove to a Vendor they have a problem in their code. ... and its not resolved by keeping "Full Disclosure" alive. ... the Vendor for a vulnerability without accepting responsibility for your ... feed the feature versus security mentality of many Vendors. ...
    (NT-Bugtraq)
  • Re: Call to arms - INFORMATION ANARCHY
    ... Its one thing to prove to a Vendor they have a problem in their code. ... and its not resolved by keeping "Full Disclosure" alive. ... > the Vendor for a vulnerability without accepting responsibility for your ... > feed the feature versus security mentality of many Vendors. ...
    (NT-Bugtraq)
  • PTL-2002-03 Betsie XSS Vuln
    ... A Cross-site Scripting vulnerability exists in the Betsie application. ... The vendor has released a new version of the script 1.5.12, ...
    (Bugtraq)