what you don't know can hurt you

PHP Money Books 1.03 Stored Cross Site Scripting

PHP Money Books 1.03 Stored Cross Site Scripting
Posted Jun 29, 2012
Authored by chap0

PHP Money Books version 1.03 suffers from stored cross site scripting vulnerabilities.

tags | exploit, php, vulnerability, xss
MD5 | 6b9da8d5a40f04f97fe6b20d8004ee1c

PHP Money Books 1.03 Stored Cross Site Scripting

Change Mirror Download
# Exploit Title: phpmoneybooks 1.03 Stored XSS
# Date: Jun 28, 2012
# Exploit Author: chap0 - chap0.blogspot.com - @_chap0
# Vendor Homepage: http://phpmoneybooks.com/
# Software Link: http://sourceforge.net/projects/phpmoneybooks/files/phpMoneyBooks103.zip/download
# Version: 1.03
# Patch: Upgrade to 1.04

Vendor Description:
phpMoneyBooks is an open sourced php/mysql program. A free alternative to QuickBooks.

Summary:
phpmoneybooks 1.03 is vulnerable to Stored XSS vulnerability enabling an attacker
to execute arbitrary JavaScript code withing the application. The vulnerability
can be utilized when adding a new bank account or customer account. Users other
then the admin account are able to input this information which in return can
enable the super admin user to fall victim to this attack. The vulnerable index
pages reside in /banks/index.php and /customers/index.php.

Stored XSS example:

'><script>alert('XSS')</script>

Disclosure Timeline:
June 28, 2012 - Contacted Vendor
June 28, 2012 - Vendor replied, and patch application

Vulnerable Code:

/banks/index.php

40 $_POST[AcctName]=trim($_POST[AcctName]);
41 if(strtolower($row[1])==strtolower($_POST['AcctName'])) {
42 echo "<script type='text/javascript'>
43 alert('Duplicate account: $_POST[AcctName] already exists.');
44 </script>";
45 $_GET[action]="AddForm";


/customers/index.php

36 if($_GET[action]=="AddUser"){

37 $query = "INSERT INTO phpMB_customers (AcctNo,DisplayName, CompanyName,MrMs,FirstName,MiddleIn,LastName,Contact,Phone,Phone2,Fax,Email,Rela
tion,BillingAddress,ShippingAddress,Notes) VALUES ('$_POST[AcctNo]', '$_POST[DisplayName]', '$_POST[CompanyName]', '$_POST[MrMs]', '$_POST [FirstName]','$_POST[MiddleIn]', '$_POST[LastName]','$_POST[Contact]', '$_POST[Phone]', '$_POST[Phone2]','$_POST[FAX]','$_POST
[Email]', 'Customer','$_POST[BillingAddress]', '$_POST[ShippingAddress]', '$_POST[Notes]')";

38 QueryMysql($query);
39 $_GET[action]="";


By adding strip_tags to the strings in the php code allows the user input to be sanitized.

A couple of other vulnerabilities that exist in this application:

Usernames and passwords sent in clear text at log in.

The users cookie gets set as username and MD5 password of the user. With this if an
attacker inject javascript that steals cookies, the attacker will obtain the users username
and MD5 hashed password.

These two vulnerabilities are not fix, vendor was notified and is aware.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close