Secunia Research has discovered multiple vulnerabilities in PhreeBooks, which can be exploited by malicious users to conduct script insertion attacks, SQL injection attacks, and disclose sensitive information and by malicious people to conduct cross-site scripting and SQL injection attacks.

1) Input passed via arbitrary parameters to index.php (when "cat", "module", and "subject" are set) is not properly sanitised in the "gen_get_all_get_params()" function in modules/general/functions/gen_functions.php before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Input passed via the "search_text" parameter to index.php (when "cat" and "module" are set) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

3) Input passed via the "date_from" and "date_to" parameters to index.php (when "cat" is set to "general" and "module" is set to "search") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

4) Input passed via the "search_field" parameter to includes/addons/PhreeHelp/leftframe.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

5) Input passed via the "img" parameter to index.php (when "cat" is set to "inventory" and "module" is set to "popup_image") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

6) Input passed to the "form" parameter in modules/services/pages/popup_shipping/js_include.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

7) Input passed via the "index" parameter to index.php (when "cat" is set to "services" and "module" is set to "popup_label_button") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

8) Input passed via the "my_note" parameter to index.php (when "my_note_submit" is set to "Add" and "module_id" is set to "my_notes") is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

9) Input passed via the "search_field" parameter to includes/addons/PhreeHelp/leftframe.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

10) Input passed to the "idx" parameter in includes/addons/PhreeHelp/index.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

11) Input passed via the "tpl" parameter to index.php (when "cat" and "module" are set) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

12) Input passed via the "cID" and "oID" parameters to index.php (when "cat" is set to "orders", "module" is set to "ajax", and "op" is set to "load_order") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

13) Input passed via the "search_period" parameter to index.php (when "cat" is set to "banking", "module" is set to "popup_bills", and "jID" is set) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

14) Input passed via the "search_period" parameter to index.php (when "cat" is set to "orders", "module" is set to "popup_orders", "form" is set to "orders" and "jID" is set) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

15) Input passed via the "search_period" parameter to index.php (when "cat" is set to "orders" and "module" is set to "inv_mgr") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires "Read Only" permissions for "Invoice Manager" in the "Customers" section.

16) Input passed via the "search_period" parameter to index.php (when "cat" is set to "banking" and "module" is set to "reconciliation") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires "Read Only" permissions for "Account Reconciliation" in the "Banking" section.

17) Input passed via the "search_period" parameter to index.php (when "cat" is set to "orders" and "module" is set to "status", and jID is set) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires "Read Only" permissions for "Sales Order Manager" in the "Customers" section.

18) Input passed via the "cID" parameter to index.php (when "cat" is set to "accounts", "module" is set to "ajax", and "op" is set to "load_contact") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

19) Input passed via the "guess" parameter to index.php (when "cat" is set to "accounts", "module" is set to "ajax", and "op" is set to "load_contact_info") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

20) Input passed via the "type" parameter to index.php (when "cat" is set to "accounts" and "module" is set to "popup_accts") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires that "magic_quotes_gpc" is disabled.

21) Input passed via the "pID" parameter to index.php (when "cat" is set to "general" and "module" is set to "ctl_panel") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires that "magic_quotes_gpc" is disabled.

22) Input passed via the "sID" parameter to index.php (when "cat" is set to "setup", "module" is set to "popup_setup", and "subject" is set to "zones", "countries", "inv_tabs", "tax_auths_vend", "tax_rates_vend", or "tax_rate") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

23) Input passed via the "sID" parameter to index.php (when "cat" is set to "setup", "module" is set to "popup_setup", and "subject" is set to "departments", "project_phases", "chart_of_accounts", "currency", "dept_types", or "project_costs") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires that "magic_quotes_gpc" is disabled.

24) Input passed via the "iID", "upc", and "sku" parameters to index.php (when "cat" is set to "inventory", "module" is set to "ajax", "op" is set to "inv_details" and "fID" is set) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

25) Input passed via the "cID" and "sku" parameters to index.php ("cat" is set to "inventory", "module" is se to "main" and "action" is set) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires "Edit" permissions for "Edit/Maintain" in the "Inventory" section.

26) Input passed via the "cID" parameter to index.php (when "cat" is set to "inventory", "module" is set to "popup_inv", and "f2" is set) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

27) Input passed via the "sku" parameter to index.php (when "cat" is set to "inventory", "module" is set to "popup_prices") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires that "magic_quotes_gpc" is disabled.

28) Input passed via the "psID" parameter to index.php (when "cat" is set to "services", "module" is set to "price_sheets", "action" is set to "revise") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires "Edit" permissions for "Price Sheet Manager" in the "Customers" section.

29) Input passed via the "rID" parameter to index.php (when "cat" is set to "gen_ledger", "module" is set to "ajax", and "op" is set to "load_record") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

30) Input passed via the "rID" parameter to index.php (when "cat" is set to "reportwriter", "module" is set to "ajax", and "op" is set to "load_email_msg") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires that "magic_quotes_gpc" is disabled.

31) Input passed via the "ReportID" parameter to index.php (when "cat" is set to "reportwriter" and "module" is set to "form_gen", "rpt_gen", or "builder") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires "Read Only" permissions for "Reports" in the "Tools" section.

32) Input passed via the "short_name" parameter to index.php (when "cat" is set to "accounts", "module" is set to "main", and "type" is set to "i") when adding or editing a contact is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires "Add" permissions for "PhreeCRM" in the "Customers" section and that "magic_quotes_gpc" is disabled.

33) Input passed via the "my_note" parameter to index.php (when "my_note_submit" is set to "Add" and "module_id" is set to "my_notes") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires that "magic_quotes_gpc" is disabled.

34) Input passed via the "my_title" and "my_url" parameters to index.php (when "my_personal_links" is set to "Add" and "module_id" is set to "personal_links") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires that "magic_quotes_gpc" is disabled.

35) Input passed via the "type" and "guess" parameters to index.php (when "cat" is set to "orders", "module" is set to "ajax", and "op" is set to "load_searches") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

36) Input passed via the "gl_acct_id" parameter to index.php (when "cat" is set to "banking", "module" is set to "ajax", and "op" is set to "acct_balance") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

37) Input passed via the "cID" and "bID" parameters to index.php (when "cat" is set to banking", "module" is set to "ajax", and "op" is set to "load_bill") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

38) Input passed via the "contact_id" parameter to index.php (when "cat" is set to "banking", "module" is set to "ajax", and "op" is set to "stored_payments") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

39) Input passed via the "jID" parameter to index.php (when "cat" is set to "banking" and "module" is set to "popup_bills") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

40) Input passed via the "db" parameter to soap/application_top.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal sequences and URL-encoded NULL bytes.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

41) Input passed via the "module" parameter to index.php (when "cat" is set) is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal sequences and URL-encoded NULL bytes.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

42) Input passed via the "op" parameter to index.php (when "cat" is set and "module" is set to "ajax") is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal sequences and URL-encoded NULL bytes.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

43) Input passed via the "subject" parameter to index.php (when "cat" is set to "setup" and "module" is set to "popup_setup") is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal sequences and URL-encoded NULL bytes.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

44) Input passed via the "subject" parameter to index.php (when "cat" is set to "services" and "module" is set to "popup_tracking") is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal sequences and URL-encoded NULL bytes.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

45) Input passed via the "subject" parameter to index.php (when "cat" is set to "services" and "module" is set to "popup_label_mgr") is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal sequences and URL-encoded NULL bytes.

Successful exploitation requires "Read Only" permissions for "Shipping Manager" in the "Tools" section and that "magic_quotes_gpc" is disabled.

The vulnerabilities are confirmed in version 2.1. Other versions may also be affected.

Solution
Use another product.

Provided and/or discovered by
Secunia Research

Original Advisory
Secunia Research:
http://secunia.com/secunia_research/2010-121/
http://secunia.com/secunia_research/2010-122/
http://secunia.com/secunia_research/2010-123/
http://secunia.com/secunia_research/2010-124/

Deep Links
Links available to Secunia VIM customers