Title:
======
MailOrderWorks v5.907 - Multiple Web Vulnerabilities


Date:
=====
2013-01-02


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=798


VL-ID:
=====
796


Common Vulnerability Scoring System:
====================================
4.5


Introduction:
=============
Mail order management and stock control is easy with MailOrderWorks. MailOrderWorks (aka MOW) is an easy to use mail order 
software and stock control system that supports multiple users, but is also ideal for single person companies too. Our software 
allows you and your staff to access the same information, at the same time, from anywhere - even if you`re not in the same office 
or building. It`s affordable, easy to use, allows integration and is easily expandable for more users. It`s free to try too.

(Copy of the Vendor Homepage: http://www.mailorderworks.co.uk/index.php )


Abstract:
=========
The Vulnerability-Laboratory Research Team discovered multiple web vulnerabilities in MailOrderWorks v5.907, Mail order management application.



Report-Timeline:
================
2012-12-26:	Public Disclosure


Status:
========
Published


Affected Products:
==================
2Dmedia
Product: MailOrderWorks 5.907


Exploitation-Technique:
=======================
Remote


Severity:
=========
Medium


Details:
========
Multiple persistent web vulnerabilities are detected in the MailOrderWorks v5.907, Mail order management application.
The vulnerability allows an attacker to inject own malicious script code in the vulnerable modules on application side (persistent).

The vulnerabilities mainly exist in the create document/print module. The module doesn`t validate the file context when processing to create. 
For example, if we are creating a products summary, the print module(vulnerable) doesn`t check the products  titles, and creates the document 
with the injected malicious code inside.

1.1
The first vulnerability is located in the `dispatch order` module. The attacker can create an order by injecting the malicious code in the 
vulnerable customer parameters which are firstname, lastname, custom A1 and custom A2. For the malicious code to get executed, the target user 
should go to `dispatch order` module `Open Batch screen`  and then click `start`. The output file executes the malicious script code while 
creating the malicious order via add.

1.2
The second vulnerability is located in the `reports and exports` module. The attacker can create an order injecting the vulnerable parameters 
in it. The malicious code will be executed when the user choose the orders and create a report about them. The vulnerability also can be 
executed from creating a report about the products. The attacker can create a product with injecting malicious code in the vulnerable 
parameters which are SKU, Title and Group. When the user create a report about the products, the malicious code will be executed out of the 
context from the report file 

1.3
The persistent input validation vulnerability is located in the `Create/View issue` in the show/add orders modules. The attacker can 
inject malicious codes in different vulnerable parameters which are Reason/fault, Resolution, Issue Notes and Order notes. Whenever the user 
clicks on `print issue document` a file will be generated and it includes the malicious codes where it gets executed.

1.4
The final persistent cross-site scripting vulnerability is ver critical because it gets injected in every file that is being generated from 
the MailOrderWorld(MOW). The vulnerability is located in the settings of the application where the attacker can inject a malicious code inside 
the company profiles in the vulnerable fields which are, Company Name and Address. Whenever a user generates any page, the malicious code will 
be executed because the fields: `company name` and `company address` are included in every page that is generated by MOW.

The vulnerability can be exploited with privileged application user account and low or medium required user interaction.
Successful exploitation of the vulnerability result in persistent/non-persistent session hijacking, persistent/non-persistent 
phishing, external redirect, external malware loads and persistent/non-persistent vulnerable module context manipulation.


Vulnerable Service(s):
				[+] MailOrderWorks (5.907)

Vulnerable Section(s):
				[+] New Order
				[+] Add new Product
				[+] View Orders
				[+] Settings

Vulnerable Module(s):
				[+] Customer
				[+] Add new Product
				[+] View Orders => Done => Create/View Issue 
				[+] Company Settings

Vulnerable Parameter(s):
				[+] [Name] - [Mobile/Work] - [Custom A1] - [Custom A2] - [Custom B] - [Email] 
				[+] [SKU] - [Title] - [Group]
				[+] [Reason/fault] - [Resolution] - [Issue Notes] - [Order notes]
				[+] [Company name] - [Address] - [Document Title] - [Details/Message]

Affected Module(s):
				[+] dispatch order > Open batch screen > Start
				[+] Reports and Exports	 > [Products] - [Dispatch]
				[+] View Orders > Done > Create/View Issue > Print issue Document
				[+] Any document Generated by MOW



Proof of Concept:
=================
The persistent input validation web vulnerabilities can be exploited by remote attackers with low or medium required user interaction and 
low privileged application user account. For demonstration or reproduce ...

#1

Vulnerable Module(s):  	New Order => [Name] - [Mobile/Work] - [Custom A1] - [Custom A2] - [Custom B] - [Email] 
Affected Module(s): 	dispatch order => open batch screen => start

Code Review:
	<div id="container">
		<div id="tl">
			<h1>Sales Invoice</h1>
			<dl style="padding-left: 12px; padding-top: 8px;">
				<dt>Invoice No.</dt>
				<dd>1004</dd>
				<dt>Order Date</dt>
				<dd>12/24/2012</dd>
				<dt>Custom B1</dt>
				<dd>[PERSISTENT INJECTED SCRIPT CODE!]</dd>
				<dt>Custom B2</dt>
				<dd>[PERSISTENT INJECTED SCRIPT CODE!]</dd>
			</dl>
		</div>
		<div id="tr">
			<img src="vlabs_top.png" width="223" height="67" align="right" style="padding-left: 10px;" />
			<div style="font-size: 13px; font-weight: bold; padding-bottom: 3px; padding-top: 7px;">vlabs</div>
			<div style="padding-left: 12px;">Example Unit<BR>Works Business Park<BR>Mail Order Road<BR>County<BR>AB1 2BC</div>
			<div style="padding-top: 8px; padding-left: 12px; clear: both;">Phone: (edit in settings)<BR>Email: 
(edit in settings)<BR>Web: (edit in settings)<BR>Company No. (edit in settings), VAT Reg No. (edit in settings)</div>
		</div>
		<div style="clear: both; padding-top: 10px;">
			<div id="delivery">
				<h3>Deliver To</h3>
				<div class="address">
					Mr [PERSISTENT INJECTED SCRIPT CODE!] <br />
				</div>
			</div>
			<div id="billing">
				<h3>Invoice To</h3>
				<div class="address">
					Mr"><[PERSISTENT INJECTED SCRIPT CODE!]")></iframe><br />
				</div>
			</div>
			<div id="customer">
				<dl>
					<dt>Customer</dt>
					<dd>[PERSISTENT INJECTED SCRIPT CODE!]</dd>
					<dt>Account</dt>
					<dd>568-3671</dd>
					<dt>Custom A1</dt>
					<dd>[PERSISTENT INJECTED SCRIPT CODE!]</dd>
					<dt>Custom A2</dt>
					<dd>[PERSISTENT INJECTED SCRIPT CODE!]</dd>
				</dl>
			</div>
		</div>
		<div id="items">
			<table width="100%" border="0" cellpadding="0" cellspacing="0" class="items">
				<tr>
					<th width="12%" nowrap="nowrap">SKU   </th>
					<th width="48%" nowrap="nowrap">Description   </th>
					<th width="7%" nowrap="nowrap"><div align="right">   Qty</div></th>
			<!-- RATESTART --><th width="10%" nowrap="nowrap"><div align="right">   Rate</div></th><!-- RATEEND -->
					<th width="11%" nowrap="nowrap"><div align="right">   Unit Price</div></th>
					<th width="12%" nowrap="nowrap"><div align="right">   Line Total</div></th>
				</tr>		
			</table>
		</div>
	</div>
	<div id="summary">



#2

Vulnerable Module(s): 	Add new Product => [SKU] - [Title] - [Group]
Affected Module(s): 	Reports and Exports => [Products] - [Dispatch]

Code Review:
  <TR>
    <TH noWrap>SKU</TH>
    <TH noWrap>Title</TH>
    <TH noWrap>Spec</TH>
    <TH noWrap>Group</TH>
    <TH noWrap>Retail Price</TH>
    <TH noWrap>Available</TH>
    <TH noWrap>In Stock</TH>
    <TH noWrap>Pending</TH>
    <TH noWrap>Allocated</TH>
    <TH noWrap>Low Level</TH>
    <TH noWrap>Cost</TH>
    <TH noWrap>Supplier</TH>
    <TH noWrap>Sold</TH>
    <TH noWrap>Last Sold</TH>
    <TH noWrap>Stock First Arrival</TH></TR>
  <TR>
    <TD vAlign=3Dtop>[PERSISTENT INJECTED SCRIPT CODE!]'=20
      src=3D"res://ieframe.dll/dnserrordiagoff_webOC.htm"></IFRAME></TD>
    <TD vAlign=3Dtop>[PERSISTENT INJECTED SCRIPT CODE!]'=20
      src=3D"res://ieframe.dll/dnserrordiagoff_webOC.htm"></IFRAME></TD>
    <TD vAlign=3Dtop>[PERSISTENT INJECTED SCRIPT CODE!]'=20
      src=3D"res://ieframe.dll/dnserrordiagoff_webOC.htm"></IFRAME></TD>
    <TD vAlign=3Dtop>[PERSISTENT INJECTED SCRIPT CODE!]'=20
      src=3D"res://ieframe.dll/dnserrordiagoff_webOC.htm"></IFRAME></TD>
    <TD vAlign=3Dtop>=A31.00</TD>
    <TD vAlign=3Dtop>10</TD>
    <TD vAlign=3Dtop>10</TD>
    <TD vAlign=3Dtop>0</TD>
    <TD vAlign=3Dtop>0</TD>
    <TD vAlign=3Dtop>0</TD>
    <TD vAlign=3Dtop>=A312.00</TD>
    <TD vAlign=3Dtop> </TD>
    <TD vAlign=3Dtop> </TD>
    <TD vAlign=3Dtop> </TD>
    <TD vAlign=3Dtop>12/24/2012</TD></TR>
  <TR>
    <TD vAlign=3Dtop>BBA123G</TD>
    <TD vAlign=3Dtop>Angled Building Block</TD>
    


#3

Vulnerable Module(s): 	View Orders => [Reason/fault] - [Resolution] - [Issue Notes] - [Order notes]
Affected Module(s): 	Reports and Exports => View Orders => Done => Create/View Issue => print issue Document

Code Review: 

 <TBODY>
                    <TR>
                      <TD vAlign=3Dtop width=3D"32%">
                        <P><STRONG>Fault Description</STRONG></P>
                        <P>Created: 12/25/2012</P></TD>
                      <TD vAlign=3Dtop width=3D"68%">
                        =
[PERSISTENT INJECTED SCRIPT CODE!]</TD></TR></TBODY></TABLE></TD></TR>
              <TR>
                <TD> </TD></TR>
              <TR>
                <TD>
                  <TABLE=20
                  style=3D"BORDER-BOTTOM: #000000 1px solid; =
BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid; =
BORDER-RIGHT: #000000 1px solid"=20
                  border=3D0 cellSpacing=3D10 cellPadding=3D8 =
width=3D"100%">
                    <TBODY>
                    <TR>
                      <TD vAlign=3Dtop width=3D"32%">
                        <P><STRONG>Resolution</STRONG></P>
                        <P>Resolved: </P></TD>
                      <TD vAlign=3Dtop width=3D"68%">
                        =
[PERSISTENT INJECTED SCRIPT CODE!]</TD></TR></TBODY></TABLE></TD></TR>
              <TR>
                <TD> </TD></TR>
              <TR>
                <TD>
                  <TABLE=20
                  style=3D"BORDER-BOTTOM: #000000 1px solid; =
BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid; =
BORDER-RIGHT: #000000 1px solid"=20
                  border=3D0 cellSpacing=3D10 cellPadding=3D8 =
width=3D"100%">
                    <TBODY>
                    <TR>
                      <TD vAlign=3Dtop width=3D"32%"><STRONG>Fault =
Report Notes=20
                        </STRONG></TD>
                      <TD vAlign=3Dtop width=3D"68%">
                        [PERSISTENT INJECTED SCRIPT CODE!]</TD></TR></TBODY></TABLE></TD></TR>
              <TR>
                <TD> </TD></TR>
              <TR>
                <TD>
                  <TABLE=20
                  style=3D"BORDER-BOTTOM: #000000 1px solid; =
BORDER-LEFT: #000000 1px solid; BORDER-TOP: #000000 1px solid; =
BORDER-RIGHT: #000000 1px solid"=20
                  border=3D0 cellSpacing=3D10 cellPadding=3D8 =
width=3D"100%">
                    <TBODY>
                    <TR>
                      <TD vAlign=3Dtop width=3D"32%"><STRONG>Order Notes =

                      </STRONG></TD>
                      <TD vAlign=3Dtop width=3D"68%">
                        [PERSISTENT INJECTED SCRIPT CODE!]</TD></TR></TBODY></TABLE></TD></TR>
              <TR>
                <TD> </TD></TR>
              <TR>
                <TD> </TD></TR></TBODY></TABLE></TD></TR>
        <TR>
          <TD><IMG=20
            =
src=3D"file:///C:/Documents%20and%20Settings/storm/Local%20Settings/Temp/=
vlabs_1x1.jpg"=20
            width=3D1 height=3D150></TD>
          <TD=20
vAlign=3Dtop> </TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></=
BODY></HTML>

...

Vulnerable Module(s): 	Settings => [Company name] - [Address] - [Document Title] - [Details/Message]
Affected Module(s): 	all generated files by MOW

Code Review: 

From: <Saved by Windows Internet Explorer 8>
Subject: [PERSISTENT INJECTED SCRIPT CODE!](MailOrderWorks)
Date: Tue, 25 Dec 2012 11:59:57 -0800
MIME-Version: 1.0
Content-Type: multipart/related;
	type="text/html";
	boundary="----=_NextPart_000_0000_01CDE297.5C26ACF0"
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157


   class=3Dstyle20><BR></SPAN></STRONG></DIV></TD>
          <TD vAlign=3Dtop width=3D"50%">
            <DIV align=3Dright>
            <P><IMG=20
            =
src=3D""=20
            width=3D323 height=3D99><BR><BR><STRONG>
            [PERSISTENT INJECTED SCRIPT CODE!]</STRONG><BR>
         [PERSISTENT INJECTED SCRIPT CODE!]
            <P></P></DIV></TD></TR></TBODY></TABLE></DIV></TD></TR>
  <TR>
    <TD vAlign=3Dtop>
      <TABLE border=3D0 cellSpacing=3D0 cellPadding=3D0 width=3D"100%">
        <TBODY>
        <TR>
          <TD width=3D1><IMG=20
            =
src=3D""=20
            width=3D1 height=3D450></TD>


Risk:
=====
The security risk of the persistent input validation web vulnerabilities are estimated as medium(+).



Credits:
========
Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) [storm@vulnerability-lab.com] [iel-sayed.blogspot.com]



Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

    				   	Copyright © 2013 | Vulnerability Laboratory

-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@vulnerability-lab.com