Title: ====== MailOrderWorks v5.907 - Multiple Web Vulnerabilities Date: ===== 2013-01-02 References: =========== http://www.vulnerability-lab.com/get_content.php?id=798 VL-ID: ===== 796 Common Vulnerability Scoring System: ==================================== 4.5 Introduction: ============= Mail order management and stock control is easy with MailOrderWorks. MailOrderWorks (aka MOW) is an easy to use mail order software and stock control system that supports multiple users, but is also ideal for single person companies too. Our software allows you and your staff to access the same information, at the same time, from anywhere - even if you`re not in the same office or building. It`s affordable, easy to use, allows integration and is easily expandable for more users. It`s free to try too. (Copy of the Vendor Homepage: http://www.mailorderworks.co.uk/index.php ) Abstract: ========= The Vulnerability-Laboratory Research Team discovered multiple web vulnerabilities in MailOrderWorks v5.907, Mail order management application. Report-Timeline: ================ 2012-12-26: Public Disclosure Status: ======== Published Affected Products: ================== 2Dmedia Product: MailOrderWorks 5.907 Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== Multiple persistent web vulnerabilities are detected in the MailOrderWorks v5.907, Mail order management application. The vulnerability allows an attacker to inject own malicious script code in the vulnerable modules on application side (persistent). The vulnerabilities mainly exist in the create document/print module. The module doesn`t validate the file context when processing to create. For example, if we are creating a products summary, the print module(vulnerable) doesn`t check the products titles, and creates the document with the injected malicious code inside. 1.1 The first vulnerability is located in the `dispatch order` module. The attacker can create an order by injecting the malicious code in the vulnerable customer parameters which are firstname, lastname, custom A1 and custom A2. For the malicious code to get executed, the target user should go to `dispatch order` module `Open Batch screen` and then click `start`. The output file executes the malicious script code while creating the malicious order via add. 1.2 The second vulnerability is located in the `reports and exports` module. The attacker can create an order injecting the vulnerable parameters in it. The malicious code will be executed when the user choose the orders and create a report about them. The vulnerability also can be executed from creating a report about the products. The attacker can create a product with injecting malicious code in the vulnerable parameters which are SKU, Title and Group. When the user create a report about the products, the malicious code will be executed out of the context from the report file 1.3 The persistent input validation vulnerability is located in the `Create/View issue` in the show/add orders modules. The attacker can inject malicious codes in different vulnerable parameters which are Reason/fault, Resolution, Issue Notes and Order notes. Whenever the user clicks on `print issue document` a file will be generated and it includes the malicious codes where it gets executed. 1.4 The final persistent cross-site scripting vulnerability is ver critical because it gets injected in every file that is being generated from the MailOrderWorld(MOW). The vulnerability is located in the settings of the application where the attacker can inject a malicious code inside the company profiles in the vulnerable fields which are, Company Name and Address. Whenever a user generates any page, the malicious code will be executed because the fields: `company name` and `company address` are included in every page that is generated by MOW. The vulnerability can be exploited with privileged application user account and low or medium required user interaction. Successful exploitation of the vulnerability result in persistent/non-persistent session hijacking, persistent/non-persistent phishing, external redirect, external malware loads and persistent/non-persistent vulnerable module context manipulation. Vulnerable Service(s): [+] MailOrderWorks (5.907) Vulnerable Section(s): [+] New Order [+] Add new Product [+] View Orders [+] Settings Vulnerable Module(s): [+] Customer [+] Add new Product [+] View Orders => Done => Create/View Issue [+] Company Settings Vulnerable Parameter(s): [+] [Name] - [Mobile/Work] - [Custom A1] - [Custom A2] - [Custom B] - [Email] [+] [SKU] - [Title] - [Group] [+] [Reason/fault] - [Resolution] - [Issue Notes] - [Order notes] [+] [Company name] - [Address] - [Document Title] - [Details/Message] Affected Module(s): [+] dispatch order > Open batch screen > Start [+] Reports and Exports > [Products] - [Dispatch] [+] View Orders > Done > Create/View Issue > Print issue Document [+] Any document Generated by MOW Proof of Concept: ================= The persistent input validation web vulnerabilities can be exploited by remote attackers with low or medium required user interaction and low privileged application user account. For demonstration or reproduce ... #1 Vulnerable Module(s): New Order => [Name] - [Mobile/Work] - [Custom A1] - [Custom A2] - [Custom B] - [Email] Affected Module(s): dispatch order => open batch screen => start Code Review: <div id="container"> <div id="tl"> <h1>Sales Invoice</h1> <dl style="padding-left: 12px; padding-top: 8px;"> <dt>Invoice No.</dt> <dd>1004</dd> <dt>Order Date</dt> <dd>12/24/2012</dd> <dt>Custom B1</dt> <dd>[PERSISTENT INJECTED SCRIPT CODE!]</dd> <dt>Custom B2</dt> <dd>[PERSISTENT INJECTED SCRIPT CODE!]</dd> </dl> </div> <div id="tr"> <img src="vlabs_top.png" width="223" height="67" align="right" style="padding-left: 10px;" /> <div style="font-size: 13px; font-weight: bold; padding-bottom: 3px; padding-top: 7px;">vlabs</div> <div style="padding-left: 12px;">Example Unit<BR>Works Business Park<BR>Mail Order Road<BR>County<BR>AB1 2BC</div> <div style="padding-top: 8px; padding-left: 12px; clear: both;">Phone: (edit in settings)<BR>Email: (edit in settings)<BR>Web: (edit in settings)<BR>Company No. (edit in settings), VAT Reg No. (edit in settings)</div> </div> <div style="clear: both; padding-top: 10px;"> <div id="delivery"> <h3>Deliver To</h3> <div class="address"> Mr [PERSISTENT INJECTED SCRIPT CODE!] <br /> </div> </div> <div id="billing"> <h3>Invoice To</h3> <div class="address"> Mr"><[PERSISTENT INJECTED SCRIPT CODE!]")></iframe><br /> </div> </div> <div id="customer"> <dl> <dt>Customer</dt> <dd>[PERSISTENT INJECTED SCRIPT CODE!]</dd> <dt>Account</dt> <dd>568-3671</dd> <dt>Custom A1</dt> <dd>[PERSISTENT INJECTED SCRIPT CODE!]</dd> <dt>Custom A2</dt> <dd>[PERSISTENT INJECTED SCRIPT CODE!]</dd> </dl> </div> </div> <div id="items"> <table width="100%" border="0" cellpadding="0" cellspacing="0" class="items"> <tr> <th width="12%" nowrap="nowrap">SKU </th> <th width="48%" nowrap="nowrap">Description </th> <th width="7%" nowrap="nowrap"><div align="right"> Qty</div></th> <!-- RATESTART --><th width="10%" nowrap="nowrap"><div align="right"> Rate</div></th><!-- RATEEND --> <th width="11%" nowrap="nowrap"><div align="right"> Unit Price</div></th> <th width="12%" nowrap="nowrap"><div align="right"> Line Total</div></th> </tr> </table> </div> </div> <div id="summary"> #2 Vulnerable Module(s): Add new Product => [SKU] - [Title] - [Group] Affected Module(s): Reports and Exports => [Products] - [Dispatch] Code Review: <TR> <TH noWrap>SKU</TH> <TH noWrap>Title</TH> <TH noWrap>Spec</TH> <TH noWrap>Group</TH> <TH noWrap>Retail Price</TH> <TH noWrap>Available</TH> <TH noWrap>In Stock</TH> <TH noWrap>Pending</TH> <TH noWrap>Allocated</TH> <TH noWrap>Low Level</TH> <TH noWrap>Cost</TH> <TH noWrap>Supplier</TH> <TH noWrap>Sold</TH> <TH noWrap>Last Sold</TH> <TH noWrap>Stock First Arrival</TH></TR> <TR> <TD vAlign=3Dtop>[PERSISTENT INJECTED SCRIPT CODE!]'=20 src=3D"res://ieframe.dll/dnserrordiagoff_webOC.htm"></IFRAME></TD> <TD vAlign=3Dtop>[PERSISTENT INJECTED SCRIPT CODE!]'=20 src=3D"res://ieframe.dll/dnserrordiagoff_webOC.htm"></IFRAME></TD> <TD vAlign=3Dtop>[PERSISTENT INJECTED SCRIPT CODE!]'=20 src=3D"res://ieframe.dll/dnserrordiagoff_webOC.htm"></IFRAME></TD> <TD vAlign=3Dtop>[PERSISTENT INJECTED SCRIPT CODE!]'=20 src=3D"res://ieframe.dll/dnserrordiagoff_webOC.htm"></IFRAME></TD> <TD vAlign=3Dtop>=A31.00</TD> <TD vAlign=3Dtop>10</TD> <TD vAlign=3Dtop>10</TD> <TD vAlign=3Dtop>0</TD> <TD vAlign=3Dtop>0</TD> <TD vAlign=3Dtop>0</TD> <TD vAlign=3Dtop>=A312.00</TD> <TD vAlign=3Dtop> </TD> <TD vAlign=3Dtop> </TD> <TD vAlign=3Dtop> </TD> <TD vAlign=3Dtop>12/24/2012</TD></TR> <TR> <TD vAlign=3Dtop>BBA123G</TD> <TD vAlign=3Dtop>Angled Building Block</TD> #3 Vulnerable Module(s): View Orders => [Reason/fault] - [Resolution] - [Issue Notes] - [Order notes] Affected Module(s): Reports and Exports => View Orders => Done => Create/View Issue => print issue Document Code Review: <TBODY> <TR> <TD vAlign=3Dtop width=3D"32%"> <P><STRONG>Fault Description</STRONG></P> <P>Created: 12/25/2012</P></TD> <TD vAlign=3Dtop width=3D"68%"> = [PERSISTENT INJECTED SCRIPT CODE!]</TD></TR></TBODY></TABLE></TD></TR> <TR> <TD> </TD></TR> <TR> <TD> <TABLE=20 style=3D"BORDER-BOTTOM: #000000 1px solid; = BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid; = BORDER-RIGHT: #000000 1px solid"=20 border=3D0 cellSpacing=3D10 cellPadding=3D8 = width=3D"100%"> <TBODY> <TR> <TD vAlign=3Dtop width=3D"32%"> <P><STRONG>Resolution</STRONG></P> <P>Resolved: </P></TD> <TD vAlign=3Dtop width=3D"68%"> = [PERSISTENT INJECTED SCRIPT CODE!]</TD></TR></TBODY></TABLE></TD></TR> <TR> <TD> </TD></TR> <TR> <TD> <TABLE=20 style=3D"BORDER-BOTTOM: #000000 1px solid; = BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid; = BORDER-RIGHT: #000000 1px solid"=20 border=3D0 cellSpacing=3D10 cellPadding=3D8 = width=3D"100%"> <TBODY> <TR> <TD vAlign=3Dtop width=3D"32%"><STRONG>Fault = Report Notes=20 </STRONG></TD> <TD vAlign=3Dtop width=3D"68%"> [PERSISTENT INJECTED SCRIPT CODE!]</TD></TR></TBODY></TABLE></TD></TR> <TR> <TD> </TD></TR> <TR> <TD> <TABLE=20 style=3D"BORDER-BOTTOM: #000000 1px solid; = BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid; = BORDER-RIGHT: #000000 1px solid"=20 border=3D0 cellSpacing=3D10 cellPadding=3D8 = width=3D"100%"> <TBODY> <TR> <TD vAlign=3Dtop width=3D"32%"><STRONG>Order Notes = </STRONG></TD> <TD vAlign=3Dtop width=3D"68%"> [PERSISTENT INJECTED SCRIPT CODE!]</TD></TR></TBODY></TABLE></TD></TR> <TR> <TD> </TD></TR> <TR> <TD> </TD></TR></TBODY></TABLE></TD></TR> <TR> <TD><IMG=20 = src=3D"file:///C:/Documents%20and%20Settings/storm/Local%20Settings/Temp/= vlabs_1x1.jpg"=20 width=3D1 height=3D150></TD> <TD=20 vAlign=3Dtop> </TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></= BODY></HTML> ... Vulnerable Module(s): Settings => [Company name] - [Address] - [Document Title] - [Details/Message] Affected Module(s): all generated files by MOW Code Review: From: <Saved by Windows Internet Explorer 8> Subject: [PERSISTENT INJECTED SCRIPT CODE!](MailOrderWorks) Date: Tue, 25 Dec 2012 11:59:57 -0800 MIME-Version: 1.0 Content-Type: multipart/related; type="text/html"; boundary="----=_NextPart_000_0000_01CDE297.5C26ACF0" X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157 class=3Dstyle20><BR></SPAN></STRONG></DIV></TD> <TD vAlign=3Dtop width=3D"50%"> <DIV align=3Dright> <P><IMG=20 = src=3D""=20 width=3D323 height=3D99><BR><BR><STRONG> [PERSISTENT INJECTED SCRIPT CODE!]</STRONG><BR> [PERSISTENT INJECTED SCRIPT CODE!] <P></P></DIV></TD></TR></TBODY></TABLE></DIV></TD></TR> <TR> <TD vAlign=3Dtop> <TABLE border=3D0 cellSpacing=3D0 cellPadding=3D0 width=3D"100%"> <TBODY> <TR> <TD width=3D1><IMG=20 = src=3D""=20 width=3D1 height=3D450></TD> Risk: ===== The security risk of the persistent input validation web vulnerabilities are estimated as medium(+). Credits: ======== Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) [storm@xxxxxxxxxxxxxxxxxxxxx] [iel-sayed.blogspot.com] Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@xxxxxxxxxxxxxxxxxxxxx - support@xxxxxxxxxxxxxxxxxxxxx - research@xxxxxxxxxxxxxxxxxxxxx Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or support@xxxxxxxxxxxxxxxxxxxxx) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: research@xxxxxxxxxxxxxxxxxxxxx