what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

PHP Money Books 1.03 Stored Cross Site Scripting

PHP Money Books 1.03 Stored Cross Site Scripting
Posted Jun 29, 2012
Authored by chap0

PHP Money Books version 1.03 suffers from stored cross site scripting vulnerabilities.

tags | exploit, php, vulnerability, xss
SHA-256 | 28c37410044d56ed3d43c475e197fffb8cafc605053dcc62a4fa1bfca5ebdb61

PHP Money Books 1.03 Stored Cross Site Scripting

Change Mirror Download
# Exploit Title: phpmoneybooks 1.03 Stored XSS
# Date: Jun 28, 2012
# Exploit Author: chap0 - chap0.blogspot.com - @_chap0
# Vendor Homepage: http://phpmoneybooks.com/
# Software Link: http://sourceforge.net/projects/phpmoneybooks/files/phpMoneyBooks103.zip/download
# Version: 1.03
# Patch: Upgrade to 1.04

Vendor Description:
phpMoneyBooks is an open sourced php/mysql program. A free alternative to QuickBooks.

Summary:
phpmoneybooks 1.03 is vulnerable to Stored XSS vulnerability enabling an attacker
to execute arbitrary JavaScript code withing the application. The vulnerability
can be utilized when adding a new bank account or customer account. Users other
then the admin account are able to input this information which in return can
enable the super admin user to fall victim to this attack. The vulnerable index
pages reside in /banks/index.php and /customers/index.php.

Stored XSS example:

'><script>alert('XSS')</script>

Disclosure Timeline:
June 28, 2012 - Contacted Vendor
June 28, 2012 - Vendor replied, and patch application

Vulnerable Code:

/banks/index.php

40 $_POST[AcctName]=trim($_POST[AcctName]);
41 if(strtolower($row[1])==strtolower($_POST['AcctName'])) {
42 echo "<script type='text/javascript'>
43 alert('Duplicate account: $_POST[AcctName] already exists.');
44 </script>";
45 $_GET[action]="AddForm";


/customers/index.php

36 if($_GET[action]=="AddUser"){

37 $query = "INSERT INTO phpMB_customers (AcctNo,DisplayName, CompanyName,MrMs,FirstName,MiddleIn,LastName,Contact,Phone,Phone2,Fax,Email,Rela
tion,BillingAddress,ShippingAddress,Notes) VALUES ('$_POST[AcctNo]', '$_POST[DisplayName]', '$_POST[CompanyName]', '$_POST[MrMs]', '$_POST [FirstName]','$_POST[MiddleIn]', '$_POST[LastName]','$_POST[Contact]', '$_POST[Phone]', '$_POST[Phone2]','$_POST[FAX]','$_POST
[Email]', 'Customer','$_POST[BillingAddress]', '$_POST[ShippingAddress]', '$_POST[Notes]')";

38 QueryMysql($query);
39 $_GET[action]="";


By adding strip_tags to the strings in the php code allows the user input to be sanitized.

A couple of other vulnerabilities that exist in this application:

Usernames and passwords sent in clear text at log in.

The users cookie gets set as username and MD5 password of the user. With this if an
attacker inject javascript that steals cookies, the attacker will obtain the users username
and MD5 hashed password.

These two vulnerabilities are not fix, vendor was notified and is aware.

Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close