Title: ====== Proman Xpress v5.0.1 - Multiple Web Vulnerabilities Date: ===== 2012-05-09 References: =========== http://www.vulnerability-lab.com/get_content.php?id=513 VL-ID: ===== 512 Common Vulnerability Scoring System: ==================================== 7.5 Introduction: ============= Proman Xpress v5.0.1 is a super project management script coded in PHP & MySQL. It s highly customizable and is used across industries. No Encryption. No Callback. Separate login for clients. Easy management. Add/edit/delete projects. Unlimited project category. Unlimited image upload. Ajax based interface. Complete messaging system. File attachment system. Active/ inactive projects. Assign different parts to staffs. Client to admin message interface. Staff to admin message interface. Set project time period. Add/edit/delete clients. Add/edit/delete Staffs. Template based architecture. (Copy of the Vendor Homepage: http://itechscripts.com/proman_xpress.html ) Abstract: ========= The Vulnerability Laboratory Researcher Team discovered multiple Web Vulnerabilities in Proman Xpress 2012 Q2. Report-Timeline: ================ 2012-05-09: Public or Non-Public Disclosure Status: ======== Published Exploitation-Technique: ======================= Remote Severity: ========= High Details: ======== 1.1 A remote SQL Injection vulnerability is detected in the Promans Xpress 2012 Q2 content management system. The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands on the affected application dbms. Successful exploitation of the vulnerability results in dbms & application compromise. The vulnerability is located on the username post method. Vulnerable Module(s): [+] Category Edit [category_edit.php?cid=] Picture(s): ../1.png ../2.png 1.2 A persistent input validation vulnerability is detected n the Promans Xpress 2012 Q2 content management system. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action. The bug is located on the comment section of the message reply function. Vulnerable Module(s): [+] Replying for a Message - Comments Picture(s): ../3.png ../4.png Proof of Concept: ================= 1.1 The sql injection vulnerability can be exploited by remote attackers with privileged account. For demonstration or reproduce ... Poc: