NetArt Media Pharmacy System version 2.0 suffers from cross site scripting and remote SQL injection vulnerabilities.
571ede9e0f61702e459089e92ef605c1088c80b80d2c48abf07296d09534e227
##############################################################################
#
# Title : NetArt Media Pharmacy System SQL Injection and Cross-site
# Scripting Vulnerabilities
# Author : Antu Sanadi SecPod Technologies (www.secpod.com)
# Vendor : http://www.netartmedia.net/
# Advisory : http://secpod.org/blog/?p=513
# : http://secpod.org/advisories/SecPod_NetArt_Media_Pharmacy_System_SQLi_and_XSS_Vuln.txt
# Software : NetArt Media Pharmacy System Version 2.0
# Date : 29/06/2012
#
##############################################################################
SecPod ID: 1045 02/02/2012 Issue Discovered
19/06/2012 Vendor Notified
No Response from vendor
18/07/2012 Advisory Released
Class: SQL Injection/Cross-site Scripting Severity: High
Overview:
---------
NetArt Media Pharmacy System SQL Injection and Cross-site Scripting
Vulnerabilities.
Technical Description:
----------------------
SQL Injection and Cross-site Scripting Vulnerabilities are present in
NetArt Media Pharmacy System as it fails to sanitise user-supplied input.
i) Input passed via the 'search' parameter in 'index.php' is not properly
verified before using. This may allow an attacker to steal cookie-based
unauthenticated credentials and launch further attacks.
ii) Input passed via the 'Email' and 'Password' parameter in
'/pharma/ADMIN/loginaction.php' page is not properly verified before
being used in an SQL query. This can be exploited to manipulate SQL
queries by injecting arbitrary SQL code. This may allow an unauthenticated
attacker to launch further attacks.
These vulnerabilities have been tested on NetArt Media Pharmacy System v2.0,
Other versions may also be affected.
Impact:
--------
Successful exploitation could allow an attacker to execute arbitrary HTML
code in a user's browser session in the context of a vulnerable application
or to manipulate SQL queries by injecting arbitrary SQL code.
Affected Software:
------------------
NetArt Media Pharmacy System v2.0
Tested on,
NetArt Media Pharmacy System v2.0
References:
-----------
http://secpod.org/blog/?p=513
http://www.netartmedia.net/pharmacysystem
http://secpod.org/advisories/SecPod_NetArt_Media_Pharmacy_System_SQLi_and_XSS_Vuln.txt
Proof of Concept:
-----------------
POC1:
POST /pharma1/index.php HTTP/1.1
Host: SERVER_IP
User-Agent: XSS-TEST
Content-Type: application/x-www-form-urlencoded
Content-Length: 70
Post Data:
----------
mod=products&search=%3Cscript%3Ealert%28%27123%27%29%3B%3C%2Fscript%3E
POC2:
POST /pharma2/ADMIN/loginaction.php HTTP/1.1
Host: SERVER_IP
User-Agent:SQL-INJECTION
Content-Type: application/x-www-form-urlencoded
Content-Length: 32
Post Data:
----------
Email=%27&Password=%27&x=32&y=10
Solution:
---------
Fix not available
Risk Factor:
-------------
CVSS Score Report:
ACCESS_VECTOR = NETWORK
ACCESS_COMPLEXITY = LOW
AUTHENTICATION = NONE
CONFIDENTIALITY_IMPACT = PARTIAL
INTEGRITY_IMPACT = PARTIAL
AVAILABILITY_IMPACT = NONE
EXPLOITABILITY = PROOF_OF_CONCEPT
REMEDIATION_LEVEL = UNAVAILABLE
REPORT_CONFIDENCE = CONFIRMED
CVSS Base Score = 6.4 (High) (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Credits:
--------
Antu Sanadi of SecPod Technologies has been credited with the discovery of this
vulnerabilities.