Advisory        : CORELAN-10-035
Disclosure date : May 1st, 2010
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-035

00 : Vulnerability information

  Product : NolaPro Enterprise
  Version : 4.0.5538
  Vendor : Noguska LLC 
  URL : http://www.nolapro.com
  Platform : Windows (PHP/MySQL)
  Type of vulnerabilities : SQL Injection, Cross-Site Scripting, Information Disclosure
  Risk rating : Medium
  Issue fixed in version : 4.0.5720  
  Vulnerability discovered by : ekse
  Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/


01 : Vendor description of software

>From the vendor website:
"NolaPro is a premium, completely free web-based accounting suite. It includes AP, AR,
Payroll, Order Tracking, Inventory Control, POS, B2B, and an Ecom Shopping Cart."


02 : Vulnerability details

Corelan Team has found 3 types of vulnerabilities in NolaPro :
 - Cross-Site Scripting (XSS)
 - SQL Injection
 - Information Disclosure
 
Cross-Site Scripting
--------------------

We have found 3 instances of Cross-Site Scripting in Nolapro, one of which does not 
require authentication. Please note that since Cross-Site Scripting is a client side
attack, the need for authentication does not reduce the risk and is indicated sollely
to facillitate reproducing the bugs.

XSS #1
Script: example.php Parameter: file Request: POST AuthRequired?: No

XSS #2  
Script: sidemenu.php Parameter: menutitle Request: GET AuthRequired?: Yes

XSS #3
Script: nporderitemremote.php Parameter: linenum Request: GET AuthRequired?: Yes
We provide proof-of-concept for these bugs. These examples are inoffensive and will only
display an alert box in the browser.

XSS #1
Because this is a POST request, an easy way to reproduce the bug is to input the 
following string on the example.php page :

<script>alert(String.fromCharCode(88,83,83,32,102,111,117,110,100,32,98,121,32,67,111,114,101,108,97,110,32,84,101,97,109));</script>

XSS #2
http://nolapro_server/sidemenu.php?index=1&menutitle=%3Cscript%3Ealert%28String.fromCharCode%2888,83,83,32,102,111,117,110,100,32,98,121,32,67,111,114,101,108,97,110,32,84,101,97,109%29%29;%3C/script%3E&menutitleorig=STR_ORDERS

XSS #3
http://nolapro_server/nporderitemremote.php?pos_mode=1&currency=USD&curdate=2010-04-12&linenum=%3Cscript%3Ealert%28String.fromCharCode%2888,83,83,32,102,111,117,110,100,32,98,121,32,67,111,114,101,108,97,110,32,84,101,97,109%29%29;%3C/script%3E&inventorylocationid=1&customerid=&shiptoid=0

SQL Injection
-------------
We found one instance of SQL Injection in NolaPro. The vulnerable script is
invitemlstreorder.php and the parameter is vendorid.
To reproduce the bug, first input the value 1 on the invitemlstreorder.php page in the
box for the ID value. The server should respond almost instantly. Now input the following 
value :

1 or BENCHMARK(2500000,MD5(1))

The server should take some time to respond (if the delay is too short, increase the 
2500000 value).

Information Disclosure
----------------------
The checkfile.php script gives indication on the existence of files on the server. This
information could be used by an attacker to gain information on the server and perform a
targeted attack. Access to this script should require authentication and be accessible to
administrators only.

03 : Vendor communication

april 18th 2010 : vendor contacted
april 19th 2010 : vendor replied
april 21th 2010 : new version available
may 1st 2010   : public disclosure

Corelan Team wants to thank Noguska for their great response and handling of the issues
disclosed.