GAzie 5.10 (Login parameter) Multiple Remote Vulnerabilities

Title: GAzie 5.10 (Login parameter) Multiple Remote Vulnerabilities
Advisory ID: ZSL-2011-4995
Type: Remote
Impact: Cross-Site Scripting, System Access, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (4/5)
Release Date: 17.02.2011
Summary
GAzie is a multi-company management program (ERP) that runs on Apache web server with support for PHP and Mysql database. Open Source web-based application for small and medium enterprises.
Description
GAzie is prone to a cross-site scripting and an SQL Injection vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Compromising the entire database structure and executing system commands is possible thru malicious SQL queries. The issues exist in the 'login_admin.php' script thru the 'Login' parameter.

--------------------------------------------------------------------------------

Error gaz_dbi_get_row: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1

--------------------------------------------------------------------------------

Vendor
Antonio de Vincentiis - http://www.devincentiis.it
Affected Version
5.10
Tested On
Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vendor Status
[21.02.2011] Vendor releases fix in the SVN repository to address this issue.
PoC
gazie_sql_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.exploit-db.com/exploits/16183/
[2] http://packetstormsecurity.org/files/98555
[3] http://securityreason.com/exploitalert/9994
[4] http://securityreason.com/wlb_show/WLB-2011020079
[5] http://secunia.com/advisories/43395/
[6] http://xforce.iss.net/xforce/xfdb/65467
[7] http://xforce.iss.net/xforce/xfdb/65468
[8] http://www.securityfocus.com/bid/46435
[9] http://gazie.svn.sourceforge.net/viewvc/gazie/modules/root/login_admin.php?view=log
[10] http://osvdb.org/show/osvdb/71088
[11] http://osvdb.org/show/osvdb/71089
Changelog
[17.02.2011] - Initial release
[18.02.2011] - Added reference [4] and [5]
[20.02.2011] - Added reference [6], [7] and [8]
[22.02.2011] - Added Vendor Status and reference [9]
[14.03.2011] - Added reference [10] and [11]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk