##############################################################################
#
# Title    : NetArt Media Pharmacy System SQL Injection and Cross-site
#            Scripting Vulnerabilities
# Author   : Antu Sanadi SecPod Technologies (www.secpod.com)
# Vendor   : http://www.netartmedia.net/
# Advisory : http://secpod.org/blog/?p=513
#	   : http://secpod.org/advisories/SecPod_NetArt_Media_Pharmacy_System_SQLi_and_XSS_Vuln.txt
# Software : NetArt Media Pharmacy System Version 2.0
# Date     : 29/06/2012
#
##############################################################################

SecPod ID: 1045	                                  02/02/2012 Issue Discovered
                	                          19/06/2012 Vendor Notified
	                                          No Response from vendor
                                                  18/07/2012 Advisory Released

Class: SQL Injection/Cross-site Scripting         Severity: High


Overview:
---------
NetArt Media Pharmacy System SQL Injection and Cross-site Scripting
Vulnerabilities.


Technical Description:
----------------------
SQL Injection and Cross-site Scripting Vulnerabilities are present in
NetArt Media Pharmacy System as it fails to sanitise user-supplied input.

 i)  Input passed via the 'search' parameter in 'index.php' is not properly
     verified before using. This may allow an attacker to steal cookie-based
     unauthenticated credentials and launch further attacks.

 ii) Input passed via the 'Email' and 'Password' parameter in
     '/pharma/ADMIN/loginaction.php' page is not properly verified before
     being used in an SQL query. This can be exploited to manipulate SQL
     queries by injecting arbitrary SQL code. This may allow an unauthenticated
     attacker to launch further attacks.

These vulnerabilities have been tested on NetArt Media Pharmacy System v2.0,
Other versions may also be affected.


Impact:
--------
Successful exploitation could allow an attacker to execute arbitrary HTML
code in a user's browser session in the context of a vulnerable application
or to manipulate SQL queries by injecting arbitrary SQL code.


Affected Software:
------------------
NetArt Media Pharmacy System v2.0


Tested on,
NetArt Media Pharmacy System v2.0


References:
-----------
http://secpod.org/blog/?p=513
http://www.netartmedia.net/pharmacysystem
http://secpod.org/advisories/SecPod_NetArt_Media_Pharmacy_System_SQLi_and_XSS_Vuln.txt


Proof of Concept:
-----------------
POC1:
POST /pharma1/index.php HTTP/1.1

Host: SERVER_IP
User-Agent: XSS-TEST
Content-Type: application/x-www-form-urlencoded
Content-Length: 70

Post Data:
----------
mod=products&search=%3Cscript%3Ealert%28%27123%27%29%3B%3C%2Fscript%3E

POC2:

POST /pharma2/ADMIN/loginaction.php HTTP/1.1

Host: SERVER_IP
User-Agent:SQL-INJECTION
Content-Type: application/x-www-form-urlencoded
Content-Length: 32

Post Data:
----------
Email=%27&Password=%27&x=32&y=10

Solution:
---------
Fix not available


Risk Factor:
-------------
   CVSS Score Report:
        ACCESS_VECTOR          = NETWORK
        ACCESS_COMPLEXITY      = LOW
        AUTHENTICATION         = NONE
        CONFIDENTIALITY_IMPACT = PARTIAL
        INTEGRITY_IMPACT       = PARTIAL
        AVAILABILITY_IMPACT    = NONE
        EXPLOITABILITY         = PROOF_OF_CONCEPT
        REMEDIATION_LEVEL      = UNAVAILABLE
        REPORT_CONFIDENCE      = CONFIRMED
        CVSS Base Score        = 6.4 (High) (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Credits:
--------
Antu Sanadi of SecPod Technologies has been credited with the discovery of this
vulnerabilities.