CBMS: XSS and SQL Injection holes PROGRAM: CBMS VENDOR: Voxel Dot Net, Inc. <cbms@voxel.net> HOMEPAGE: http://www.voxel.net/projects/cbms/ VULNERABLE VERSIONS: 0.7 (and possibly earlier versions as well) LOGIN REQUIRED: yes SEVERITY: high VERSION OF THIS ADVISORY: 1.1 DESCRIPTION: "The CBMS is a full featured client/billing management system designed from the ground up to cater specifically to hosting providers. The software is a PHP script package which uses mysql. Notable features include automated invoicing, client search, multiple customizable packages for clients, and client viewable real time invoice." (direct quote from the program's project page at Freshmeat) It is published under the terms of the Voxel Public License. SECURITY HOLES: CBMS is littered with XSS (Cross-site Scripting) and SQL Injection holes. Whether you're looking at a client, working with invoices or editing client packages, those holes exist almost everywhere. The code doesn't really do anything to stop it either - it just allows HTML code to be posted and malicious data to be injected into SQL statements. One obvious example of an XSS hole is the first name field on the Add a new client screen, a field which is shown without the htmlspecialchars() treatment in the client list. One example of an SQL Injection hole can be found in the dltclnt.php script, which wipes all clients if you go to dltclnt.php?choice=yes&idnum=clientid COMMUNICATION WITH VENDOR: The vendor was contacted the first time on the 19th of May. No reply. They were contacted again on the 24th of May. This time they replied that they were working on a fixed version, which still hasn't been released. // Ulf Harnhammar ulfh@update.uu.se
