|
Description
|
|
Multiple vulnerabilities have been discovered in phpMoneyBooks, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to disclose potentially sensitive information.
1) Input passed via the "module" and "file" parameters to index.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks.
2) Input passed via the "AcctName", "AcctType", "AcctAddress", "AcctPhone", and "AcctNotes" parameters to index.php (when "module" is set to "banks" and "action" is set to "AddAcct") is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.
3) Input passed via the "DisplayName", "AcctNo", "CompanyName", "Contact", "MrMs", "Phone", "FirstName", "FAX", "MiddleIn", "Phone2", "LastName", "BillingAddress", and "ShippingAddress" parameters to index.php (when "module" is set to "customers" and "action" is set to "AddUser") is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.
Successful exploitation of vulnerabilities #2 and #3 requires an access permission of 30 or less.
The vulnerabilities are confirmed in version 1.0.4. Other versions may also be affected.
|
