AWBS v2.9.6 Multiple Remote Vulnerabilities

Title: AWBS v2.9.6 Multiple Remote Vulnerabilities
Advisory ID: ZSL-2016-5337
Type: Local/Remote
Impact: Cross-Site Scripting, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (4/5)
Release Date: 05.07.2016
Summary
Whether starting new or looking to expand your existing web hosting and/or domain registration business, the AWBS fully automated solutions and unique features will allow you achieve your goal with minimum effort and cost.
Description
AWBS suffers from multiple SQL Injection vulnerabilities. Input passed via the 'cat' and 'so' GET parameters are not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Multiple cross-site scripting vulnerabilities were also discovered. The issue is triggered when input passed via multiple parameters is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Vendor
Total Online Solutions, Inc. - http://www.awbs.com
Affected Version
2.9.6
Tested On
Apache
PHP/5.3.28
MySQL/5.5.50-cll
Vendor Status
[08.06.2016] Vulnerability discovered.
[08.06.2016] Contact with the vendor.
[12.06.2016] Vendor responds asking for details.
[13.06.2016] Vulnerability details sent to the vendor.
[24.06.2016] Follow up with the vendor on patch release date.
[04.07.2016] No response from the vendor.
[05.07.2016] Public security advisory released.
PoC
awbs_mv.txt
Credits
Vulnerability discovered by Bikramaditya Guha - <bik@zeroscience.mk>
References
[1] https://cxsecurity.com/issue/WLB-2016070035
[2] https://www.exploit-db.com/exploits/40062/
[3] https://packetstormsecurity.com/files/137790
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/114768
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/114769
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/114770
Changelog
[05.07.2016] - Initial release
[06.07.2016] - Added reference [1], [2] and [3]
[18.07.2016] - Added reference [4], [5] and [6]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk