phpRechnung 1.6 RC2 multiple security vulnerabilities

There are multiple security vulnerabilities in phpRechnung 1.6 RC2 which allow an unauthorized user to take control of the software.

Software

Software Link: phpRechnung

Vulnerable Version: <= 1.6 RC2

Vendor Notification:

# 2010-11-13 # Bug 3108030 submitted

# 2010-12-07 # Vendor resolved issues

# 2010-12-08 # Vendor released phpRechnung version 1.6.1

# 2010-12-17 # Advisory released

Vulnerabilities

# Authentication Bypass # <= 1.6 RC2 # Patched

The issue is due to failure in "/login/loginf.php" to correctly sanitize user-supplied data in the "Username" and "Password" parameters.

Username: admin Password: 'or'1'='1'--

The following proof of concept is available :

# Reflected Cross-Site Scripting (XSS) # <= 1.6 RC2 # Patched

The issue is due to failure in numerous files to correctly sanitize user-supplied data. Most files are vulnerable in the "*ID", "Sort", "Order" and "page" parameters.

The following proof of concept is available :

# SQL Injection # <= 1.6 RC2 # Patched

The issue is due to failure in numerous files to correctly sanitize user-supplied data. Most files are vulnerable in the "*ID" parameter(s).

The following proof of concept is available :

# Blind SQL Injection # <= 1.6 RC2 # Patched

The issue is due to failure in "/offer/print_pdf.php" to correctly sanitize user-supplied data in the "offerID" parameter.

The following proof of concept is available :

Reference

# OWASP: SQL Injection

# OWASP: Cross-Site Scripting

# OWASP: Authentication Bypass

Appendix

[TXT] phpRechnung 1.6 RC2 multiple security vulnerabilities