Document Title: =============== Proman Xpress v5.0.1 - Multiple Web Vulnerabilities References (Source): ==================== Release Date: ============= 2012-05-08 Vulnerability Laboratory ID (VL-ID): ==================================== 512 Common Vulnerability Scoring System: ==================================== 7.5 Product & Service Introduction: =============================== Proman Xpress v5.0.1 is a super project management script coded in PHP & MySQL. It s highly customizable and is used across industries. No Encryption. No Callback. Separate login for clients. Easy management. Add/edit/delete projects. Unlimited project category. Unlimited image upload. Ajax based interface. Complete messaging system. File attachment system. Active/ inactive projects. Assign different parts to staffs. Client to admin message interface. Staff to admin message interface. Set project time period. Add/edit/delete clients. Add/edit/delete Staffs. Template based architecture. (Copy of the Vendor Homepage: ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Researcher Team discovered multiple Web Vulnerabilities in Proman Xpress 2012 Q2. Vulnerability Disclosure Timeline: ================================== 2012-05-09: Public or Non-Public Disclosure Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ 1.1 A remote SQL Injection vulnerability is detected in the Promans Xpress 2012 Q2 content management system. The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands on the affected application dbms. Successful exploitation of the vulnerability results in dbms & application compromise. The vulnerability is located on the username post method. Vulnerable Module(s): [+] Category Edit [category_edit.php?cid=] Picture(s): ../1.png ../2.png 1.2 A persistent input validation vulnerability is detected n the Promans Xpress 2012 Q2 content management system. The bugs allow remote attackers to implement/inject malicious script code on the application-side (persistent). Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action. The bug is located on the comment section of the message reply function. Vulnerable Module(s): [+] Replying for a Message - Comments Picture(s): ../3.png ../4.png Proof of Concept (PoC): ======================= 1.1 The sql injection vulnerability can be exploited by remote attackers with privileged account. For demonstration or reproduce ... Poc: