Truworth PHP Invoice Software 2.1 multiple vulnerabilities
There are multiple security vulnerabilities in Truworth PHP Invoice Software 2.1 which allow an attacker to remotely compromise the software.
Software Link: Truworth PHP Invoice Software 2.1
Vulnerable Version: <= 2.1
Vendor Notification: firstname.lastname@example.org at 2010-11-06
# No reply from vendor by 2010-11-13 # Advisory released.
# Authentication Bypass # 2.1 # Unpatched
There is an authentication bypass vulnerability in Truworth PHP Invoice Software 2.1 due to the application failing to properly sanitize user-supplied input during authentication. Exploitation of this vulnerability would permit unauthorized access with admin privilages.
# Information Disclosure # Full Path Disclosure # ( Requires authorised session ) # 2.1 # Unpatched
# Information Disclosure # Remote Database Disclosure Vulnerability # 2.1 # Unpatched
An attacker can remotely request the database backup from "/database_backups/" directory without authentication.
If directory indexing is disabled the attacker must bruteforce the database file name in the following format:
# Cross-Site Request Forgery # ( Requires authorised session ) # 2.1 # Unpatched
There is a Cross-Site Request Forgery vulnerability in "/index.php" which allows an attacker to create a backup of the database if an authorized user browses a malicious page.
The following proof of concept is available: