MailOrderWorks 5.907 – Multiple Vulnerabilities

  • 作者: Vulnerability-Lab
    日期: 2013-03-29
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/24901/
  • Title:
    ======
    MailOrderWorks v5.907 - Multiple Web Vulnerabilities
    
    
    Date:
    =====
    2013-01-02
    
    
    References:
    ===========
    http://www.vulnerability-lab.com/get_content.php?id=798
    
    
    VL-ID:
    =====
    796
    
    
    Common Vulnerability Scoring System:
    ====================================
    4.5
    
    
    Introduction:
    =============
    Mail order management and stock control is easy with MailOrderWorks. MailOrderWorks (aka MOW) is an easy to use mail order 
    software and stock control system that supports multiple users, but is also ideal for single person companies too. Our software 
    allows you and your staff to access the same information, at the same time, from anywhere - even if you`re not in the same office 
    or building. It`s affordable, easy to use, allows integration and is easily expandable for more users. It`s free to try too.
    
    (Copy of the Vendor Homepage: http://www.mailorderworks.co.uk/index.php )
    
    
    Abstract:
    =========
    The Vulnerability-Laboratory Research Team discovered multiple web vulnerabilities in MailOrderWorks v5.907, Mail order management application.
    
    
    
    Report-Timeline:
    ================
    2012-12-26:	Public Disclosure
    
    
    Status:
    ========
    Published
    
    
    Affected Products:
    ==================
    2Dmedia
    Product: MailOrderWorks 5.907
    
    
    Exploitation-Technique:
    =======================
    Remote
    
    
    Severity:
    =========
    Medium
    
    
    Details:
    ========
    Multiple persistent web vulnerabilities are detected in the MailOrderWorks v5.907, Mail order management application.
    The vulnerability allows an attacker to inject own malicious script code in the vulnerable modules on application side (persistent).
    
    The vulnerabilities mainly exist in the create document/print module. The module doesn`t validate the file context when processing to create. 
    For example, if we are creating a products summary, the print module(vulnerable) doesn`t check the productstitles, and creates the document 
    with the injected malicious code inside.
    
    1.1
    The first vulnerability is located in the `dispatch order` module. The attacker can create an order by injecting the malicious code in the 
    vulnerable customer parameters which are firstname, lastname, custom A1 and custom A2. For the malicious code to get executed, the target user 
    should go to `dispatch order` module `Open Batch screen`and then click `start`. The output file executes the malicious script code while 
    creating the malicious order via add.
    
    1.2
    The second vulnerability is located in the `reports and exports` module. The attacker can create an order injecting the vulnerable parameters 
    in it. The malicious code will be executed when the user choose the orders and create a report about them. The vulnerability also can be 
    executed from creating a report about the products. The attacker can create a product with injecting malicious code in the vulnerable 
    parameters which are SKU, Title and Group. When the user create a report about the products, the malicious code will be executed out of the 
    context from the report file 
    
    1.3
    The persistent input validation vulnerability is located in the `Create/View issue` in the show/add orders modules. The attacker can 
    inject malicious codes in different vulnerable parameters which are Reason/fault, Resolution, Issue Notes and Order notes. Whenever the user 
    clicks on `print issue document` a file will be generated and it includes the malicious codes where it gets executed.
    
    1.4
    The final persistent cross-site scripting vulnerability is ver critical because it gets injected in every file that is being generated from 
    the MailOrderWorld(MOW). The vulnerability is located in the settings of the application where the attacker can inject a malicious code inside 
    the company profiles in the vulnerable fields which are, Company Name and Address. Whenever a user generates any page, the malicious code will 
    be executed because the fields: `company name` and `company address` are included in every page that is generated by MOW.
    
    The vulnerability can be exploited with privileged application user account and low or medium required user interaction.
    Successful exploitation of the vulnerability result in persistent/non-persistent session hijacking, persistent/non-persistent 
    phishing, external redirect, external malware loads and persistent/non-persistent vulnerable module context manipulation.
    
    
    Vulnerable Service(s):
    				[+] MailOrderWorks (5.907)
    
    Vulnerable Section(s):
    				[+] New Order
    				[+] Add new Product
    				[+] View Orders
    				[+] Settings
    
    Vulnerable Module(s):
    				[+] Customer
    				[+] Add new Product
    				[+] View Orders => Done => Create/View Issue 
    				[+] Company Settings
    
    Vulnerable Parameter(s):
    				[+] [Name] - [Mobile/Work] - [Custom A1] - [Custom A2] - [Custom B] - [Email] 
    				[+] [SKU] - [Title] - [Group]
    				[+] [Reason/fault] - [Resolution] - [Issue Notes] - [Order notes]
    				[+] [Company name] - [Address] - [Document Title] - [Details/Message]
    
    Affected Module(s):
    				[+] dispatch order > Open batch screen > Start
    				[+] Reports and Exports	 > [Products] - [Dispatch]
    				[+] View Orders > Done > Create/View Issue > Print issue Document
    				[+] Any document Generated by MOW
    
    
    
    Proof of Concept:
    =================
    The persistent input validation web vulnerabilities can be exploited by remote attackers with low or medium required user interaction and 
    low privileged application user account. For demonstration or reproduce ...
    
    #1
    
    Vulnerable Module(s):	New Order => [Name] - [Mobile/Work] - [Custom A1] - [Custom A2] - [Custom B] - [Email] 
    Affected Module(s): 	dispatch order => open batch screen => start
    
    Code Review:
    	<div id="container">
    		<div id="tl">
    			<h1>Sales Invoice</h1>
    			<dl style="padding-left: 12px; padding-top: 8px;">
    				<dt>Invoice No.</dt>
    				<dd>1004</dd>
    				<dt>Order Date</dt>
    				<dd>12/24/2012</dd>
    				<dt>Custom B1</dt>
    				<dd>[PERSISTENT INJECTED SCRIPT CODE!]</dd>
    				<dt>Custom B2</dt>
    				<dd>[PERSISTENT INJECTED SCRIPT CODE!]</dd>
    			</dl>
    		</div>
    		<div id="tr">
    			<img src="https://www.exploit-db.com/exploits/24901/vlabs_top.png" width="223" height="67" align="right" style="padding-left: 10px;" />
    			<div style="font-size: 13px; font-weight: bold; padding-bottom: 3px; padding-top: 7px;">vlabs</div>
    			<div style="padding-left: 12px;">Example Unit<BR>Works Business Park<BR>Mail Order Road<BR>County<BR>AB1 2BC</div>
    			<div style="padding-top: 8px; padding-left: 12px; clear: both;">Phone: (edit in settings)<BR>Email: 
    (edit in settings)<BR>Web: (edit in settings)<BR>Company No. (edit in settings), VAT Reg No. (edit in settings)</div>
    		</div>
    		<div style="clear: both; padding-top: 10px;">
    			<div id="delivery">
    				<h3>Deliver To</h3>
    				<div class="address">
    					Mr [PERSISTENT INJECTED SCRIPT CODE!] <br />
    				</div>
    			</div>
    			<div id="billing">
    				<h3>Invoice To</h3>
    				<div class="address">
    					Mr"><[PERSISTENT INJECTED SCRIPT CODE!]")></iframe><br />
    				</div>
    			</div>
    			<div id="customer">
    				<dl>
    					<dt>Customer</dt>
    					<dd>[PERSISTENT INJECTED SCRIPT CODE!]</dd>
    					<dt>Account</dt>
    					<dd>568-3671</dd>
    					<dt>Custom A1</dt>
    					<dd>[PERSISTENT INJECTED SCRIPT CODE!]</dd>
    					<dt>Custom A2</dt>
    					<dd>[PERSISTENT INJECTED SCRIPT CODE!]</dd>
    				</dl>
    			</div>
    		</div>
    		<div id="items">
    			<table width="100%" border="0" cellpadding="0" cellspacing="0" class="items">
    				<tr>
    					<th width="12%" nowrap="nowrap">SKU </th>
    					<th width="48%" nowrap="nowrap">Description </th>
    					<th width="7%" nowrap="nowrap"><div align="right"> Qty</div></th>
    			<!-- RATESTART --><th width="10%" nowrap="nowrap"><div align="right"> Rate</div></th><!-- RATEEND -->
    					<th width="11%" nowrap="nowrap"><div align="right"> Unit Price</div></th>
    					<th width="12%" nowrap="nowrap"><div align="right"> Line Total</div></th>
    				</tr>		
    			</table>
    		</div>
    	</div>
    	<div id="summary">
    
    
    
    #2
    
    Vulnerable Module(s): 	Add new Product => [SKU] - [Title] - [Group]
    Affected Module(s): 	Reports and Exports => [Products] - [Dispatch]
    
    Code Review:
    <TR>
    <TH noWrap>SKU</TH>
    <TH noWrap>Title</TH>
    <TH noWrap>Spec</TH>
    <TH noWrap>Group</TH>
    <TH noWrap>Retail Price</TH>
    <TH noWrap>Available</TH>
    <TH noWrap>In Stock</TH>
    <TH noWrap>Pending</TH>
    <TH noWrap>Allocated</TH>
    <TH noWrap>Low Level</TH>
    <TH noWrap>Cost</TH>
    <TH noWrap>Supplier</TH>
    <TH noWrap>Sold</TH>
    <TH noWrap>Last Sold</TH>
    <TH noWrap>Stock First Arrival</TH></TR>
    <TR>
    <TD vAlign=top>[PERSISTENT INJECTED SCRIPT CODE!]' 
    src="res://ieframe.dll/dnserrordiagoff_webOC.htm"></IFRAME></TD>
    <TD vAlign=top>[PERSISTENT INJECTED SCRIPT CODE!]' 
    src="res://ieframe.dll/dnserrordiagoff_webOC.htm"></IFRAME></TD>
    <TD vAlign=top>[PERSISTENT INJECTED SCRIPT CODE!]' 
    src="res://ieframe.dll/dnserrordiagoff_webOC.htm"></IFRAME></TD>
    <TD vAlign=top>[PERSISTENT INJECTED SCRIPT CODE!]' 
    src="res://ieframe.dll/dnserrordiagoff_webOC.htm"></IFRAME></TD>
    <TD vAlign=top>=A31.00</TD>
    <TD vAlign=top>10</TD>
    <TD vAlign=top>10</TD>
    <TD vAlign=top>0</TD>
    <TD vAlign=top>0</TD>
    <TD vAlign=top>0</TD>
    <TD vAlign=top>=A312.00</TD>
    <TD vAlign=top> </TD>
    <TD vAlign=top> </TD>
    <TD vAlign=top> </TD>
    <TD vAlign=top>12/24/2012</TD></TR>
    <TR>
    <TD vAlign=top>BBA123G</TD>
    <TD vAlign=top>Angled Building Block</TD>
    
    
    
    #3
    
    Vulnerable Module(s): 	View Orders => [Reason/fault] - [Resolution] - [Issue Notes] - [Order notes]
    Affected Module(s): 	Reports and Exports => View Orders => Done => Create/View Issue => print issue Document
    
    Code Review: 
    
     <TBODY>
    <TR>
    <TD vAlign=top width="32%">
    <P><STRONG>Fault Description</STRONG></P>
    <P>Created: 12/25/2012</P></TD>
    <TD vAlign=top width="68%">
    =
    [PERSISTENT INJECTED SCRIPT CODE!]</TD></TR></TBODY></TABLE></TD></TR>
    <TR>
    <TD> </TD></TR>
    <TR>
    <TD>
    <TABLE 
    style="BORDER-BOTTOM: #000000 1px solid; =
    BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid; =
    BORDER-RIGHT: #000000 1px solid" 
    border=0 cellSpacing=10 cellPadding=8 =
    width="100%">
    <TBODY>
    <TR>
    <TD vAlign=top width="32%">
    <P><STRONG>Resolution</STRONG></P>
    <P>Resolved: </P></TD>
    <TD vAlign=top width="68%">
    =
    [PERSISTENT INJECTED SCRIPT CODE!]</TD></TR></TBODY></TABLE></TD></TR>
    <TR>
    <TD> </TD></TR>
    <TR>
    <TD>
    <TABLE 
    style="BORDER-BOTTOM: #000000 1px solid; =
    BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid; =
    BORDER-RIGHT: #000000 1px solid" 
    border=0 cellSpacing=10 cellPadding=8 =
    width="100%">
    <TBODY>
    <TR>
    <TD vAlign=top width="32%"><STRONG>Fault =
    Report Notes 
    </STRONG></TD>
    <TD vAlign=top width="68%">
    [PERSISTENT INJECTED SCRIPT CODE!]</TD></TR></TBODY></TABLE></TD></TR>
    <TR>
    <TD> </TD></TR>
    <TR>
    <TD>
    <TABLE 
    style="BORDER-BOTTOM: #000000 1px solid; =
    BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid; =
    BORDER-RIGHT: #000000 1px solid" 
    border=0 cellSpacing=10 cellPadding=8 =
    width="100%">
    <TBODY>
    <TR>
    <TD vAlign=top width="32%"><STRONG>Order Notes =
    
    </STRONG></TD>
    <TD vAlign=top width="68%">
    [PERSISTENT INJECTED SCRIPT CODE!]</TD></TR></TBODY></TABLE></TD></TR>
    <TR>
    <TD> </TD></TR>
    <TR>
    <TD> </TD></TR></TBODY></TABLE></TD></TR>
    <TR>
    <TD><IMG 
    =
    src="file:///C:/Documents%20and%20Settings/storm/Local%20Settings/Temp/=
    vlabs_1x1.jpg" 
    width=1 height=150></TD>
    <TD 
    vAlign=top> </TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></=
    BODY></HTML>
    
    ...
    
    Vulnerable Module(s): 	Settings => [Company name] - [Address] - [Document Title] - [Details/Message]
    Affected Module(s): 	all generated files by MOW
    
    Code Review: 
    
    From: <Saved by Windows Internet Explorer 8>
    Subject: [PERSISTENT INJECTED SCRIPT CODE!](MailOrderWorks)
    Date: Tue, 25 Dec 2012 11:59:57 -0800
    MIME-Version: 1.0
    Content-Type: multipart/related;
    	type="text/html";
    	boundary="----=_NextPart_000_0000_01CDE297.5C26ACF0"
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
    
    
     class=style20><BR></SPAN></STRONG></DIV></TD>
    <TD vAlign=top width="50%">
    <DIV align=right>
    <P><IMG 
    =
    src="https://www.exploit-db.com/exploits/24901/" 
    width=323 height=99><BR><BR><STRONG>
    [PERSISTENT INJECTED SCRIPT CODE!]</STRONG><BR>
     [PERSISTENT INJECTED SCRIPT CODE!]
    <P></P></DIV></TD></TR></TBODY></TABLE></DIV></TD></TR>
    <TR>
    <TD vAlign=top>
    <TABLE border=0 cellSpacing=0 cellPadding=0 width="100%">
    <TBODY>
    <TR>
    <TD width=1><IMG 
    =
    src="https://www.exploit-db.com/exploits/24901/" 
    width=1 height=450></TD>
    
    
    Risk:
    =====
    The security risk of the persistent input validation web vulnerabilities are estimated as medium(+).
    
    
    
    Credits:
    ========
    Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) [storm@vulnerability-lab.com] [iel-sayed.blogspot.com]
    
    
    
    Disclaimer:
    ===========
    The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
    either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
    Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
    profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
    states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
    may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
    or trade with fraud/stolen material.
    
    Domains:www.vulnerability-lab.com 	- www.vuln-lab.com			 - www.vulnerability-lab.com/register
    Contact:admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	 - research@vulnerability-lab.com
    Section:video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		 - news.vulnerability-lab.com
    Social:	twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	 - youtube.com/user/vulnerability0lab
    Feeds:	vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
    
    Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
    Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
    media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
    other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
    modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
    
    				 	Copyright � 2013 | Vulnerability Laboratory
    
    -- 
    VULNERABILITY RESEARCH LABORATORY
    LABORATORY RESEARCH TEAM
    CONTACT: research@vulnerability-lab.com