Truworth PHP Invoice Software 2.1 multiple vulnerabilities

There are multiple security vulnerabilities in Truworth PHP Invoice Software 2.1 which allow an attacker to remotely compromise the software.

Software

Software Link: Truworth PHP Invoice Software 2.1

Vulnerable Version: <= 2.1

Vendor Notification: rm@truworth.com at 2010-11-06

# No reply from vendor by 2010-11-13 # Advisory released.

Vulnerabilities

# Authentication Bypass # 2.1 # Unpatched

There is an authentication bypass vulnerability in Truworth PHP Invoice Software 2.1 due to the application failing to properly sanitize user-supplied input during authentication. Exploitation of this vulnerability would permit unauthorized access with admin privilages.

# Information Disclosure # Full Path Disclosure # ( Requires authorised session ) # 2.1 # Unpatched

# Information Disclosure # Remote Database Disclosure Vulnerability # 2.1 # Unpatched

An attacker can remotely request the database backup from "/database_backups/" directory without authentication.

If directory indexing is disabled the attacker must bruteforce the database file name in the following format:

# Cross-Site Request Forgery # ( Requires authorised session ) # 2.1 # Unpatched

There is a Cross-Site Request Forgery vulnerability in "/index.php" which allows an attacker to create a backup of the database if an authorized user browses a malicious page.

The following proof of concept is available:

Reference

OWASP: Information Leak

OWASP: Cross-Site Scripting (XSS)

OWASP: Cross-Site Request Forgery

OWASP: Full Path Disclosure (FPD)

Appendix

[TXT] Truworth PHP Invoice Software 2.1 multiple vulnerabilities