NeoInvoice Blind SQL Injection (CVE-2012-3477)

NeoInvoice is a multi-tenant open source invoicing system, that currently contains an unauthenticated blind SQL injection condition in signup_check.php. The input for the value field isn’t being properly sanitized, and is used in string concatenation to create the SQL query:

Line #29 there is the key, by concatenating untrusted data into the SQL query, it has made SQL injection trivial. This vulnerability can be demonstrated with the following request:

signup_check.php?field=username&value='+OR+SLEEP(5)+OR+'

This results in the following query being executed:

SELECT username FROM user WHERE username = '' OR SLEEP(5) OR '' LIMIT 1

The author has been notified, but has yet to respond. Based on the one open ticket for the project, there’s likely other possible attack vectors.