Simple Invoices: http://www.simpleinvoices.org Version: 2011.1 - stable By Ross Marks: http://www.rossmarks.co.uk OSVDB Creditee: http://osvdb.org/creditees/13991-ross-marks 1. Information Disclosure visit: http://website.com/simpleinvoices/config/config.ini by default this is readable containing configuration information such as database details (host, port, username & password) 2. Reflected XSS visit: http://website.com/simpleinvoices/index.php?module=invoices&view=manage&having= replace with your payload (remember to escape javascript with ; first) 3. Persistant XSS 3.1 visit: http://website.com/simpleinvoices/index.php?module=user&view=add create a user with a username of your payload, there is no filtering! 3.2 visit: http://website.com/simpleinvoices/index.php?module=customers&view=add create a user with a username of your payload, there is no filtering! 3.3 visit: http://website.com/simpleinvoices/index.php?module=billers&view=add create a user with a username of your payload, there is no filtering! 3.4 visit: http://website.com/simpleinvoices/index.php?module=invoices&view=itemised create invoice with name from 2.1, 2.2 or 2.3 3.5 visit: http://website.com/simpleinvoices/index.php?module=products&view=add create a product with a product name of your payload, there is no filtering! 3.6 visit: http://website.com/simpleinvoices/index.php?module=payment_types&view=add create a payment type with a description of your payload, there is no filtering! 3.7 visit: http://website.com/simpleinvoices/index.php?module=tax_rates&view=add create a tax rate with a description of your payload, there is no filtering! 3.8 visit: http://website.com/simpleinvoices/index.php?module=preferences&view=add create a invoice preference with a description of your payload, there is no filtering! 4. SQL Injection 4.1 visit: http://website.com/simpleinvoices/index.php?module=invoices&view=xml POST: page=1&rp=15&sortname=id&sortorder=desc&query=&qtype=c.name replace with your payload (also other POST variables are vulnerable) 4.2 visit: http://website.com/simpleinvoices/index.php?module=customers&view=xml POST: page=1&rp=25&sortname=name&sortorder=asc&query=&qtype=name replace with your payload (also other POST variables are vulnerable) 5. CSRF (create admin user) no protection against - get admin to visit page containing: