phpRechnung 1.6 RC2 multiple security vulnerabilities
There are multiple security vulnerabilities in phpRechnung 1.6 RC2 which allow an unauthorized user to take control of the software.
Software
Software Link: phpRechnung
Vulnerable Version: <= 1.6 RC2
Vendor Notification:
# 2010-11-13 # Bug 3108030 submitted
# 2010-12-07 # Vendor resolved issues
# 2010-12-08 # Vendor released phpRechnung version 1.6.1
# 2010-12-17 # Advisory released
Vulnerabilities
# Authentication Bypass # <= 1.6 RC2 # Patched
The issue is due to failure in "/login/loginf.php" to correctly sanitize user-supplied data in the "Username" and "Password" parameters.
Username: admin Password: 'or'1'='1'--
The following proof of concept is available :
# Reflected Cross-Site Scripting (XSS) # <= 1.6 RC2 # Patched
The issue is due to failure in numerous files to correctly sanitize user-supplied data. Most files are vulnerable in the "*ID", "Sort", "Order" and "page" parameters.
The following proof of concept is available :
# SQL Injection # <= 1.6 RC2 # Patched
The issue is due to failure in numerous files to correctly sanitize user-supplied data. Most files are vulnerable in the "*ID" parameter(s).
The following proof of concept is available :
# Blind SQL Injection # <= 1.6 RC2 # Patched
The issue is due to failure in "/offer/print_pdf.php" to correctly sanitize user-supplied data in the "offerID" parameter.
The following proof of concept is available :
Reference
# OWASP: SQL Injection
# OWASP: Cross-Site Scripting
# OWASP: Authentication Bypass
Appendix
[TXT] phpRechnung 1.6 RC2 multiple security vulnerabilities