thERP 1.4.4 multiple security vulnerabilities

There are multiple security vulnerabilities in thERP <= 1.4.4 which allow an unauthorized user to take control of the software.

Software

Software Link: thERP

Vulnerable Version: <= 1.4.4

Vendor Notification: service@softexconsulting.com [ 2010-11-16 10:30 PM ]

# No reply from vendor by 2010-11-23 # Advisory released.

Vulnerabilities

# Authentication Bypass # Unpatched

Username: admin Password: 'or'1'='1

The following proof of concept is available :

# SQL Injection # Unpatched

The following proof of concept is available :

# Blind SQL Injection # Unpatched

The following proof of concept is available :

# Persistent Cross Site Scripting # Unpatched

Cross-Site Scripting payloads can be injected in to the logs by mangling an SQL query and appending the XSS payload. The SQL error will be saved to the log along with the XSS payload. The paylod will be executed whenever an authorized user browses "/common/logger.php"

Reference

# OWASP: SQL Injection

# OWASP: Cross-Site Scripting

# OWASP: Authentication Bypass

Appendix

[TXT] thERP multiple security vulnerabilities