XSS and SQL Injections

sdqadeer44 · October 21, 2014, 11:58am

Hello all,

we have run a Online test on one of our ERPNext website to check the Vulnerabilities on SQL and XSS.

the result shows that there are XSS and SQL Injections vulernabilities. Please check the following output that we received from the test.

Cross-Site Scripting (XSS) Vulnerabilities :

Results:
1.

null -- loadfromdb(doctype, name) File "../lib/webnotes/model/doc.py",
line 143, in _loadfromdb raise webnotes.DoesNotExistError, '[WNF] %s
%s does not exist' % (self.doctype, self.name) DoesNotExistError:
[WNF] Address <EMBED SRC=//localhost/q.swf AllowScriptAccess=always>
</EMBED> does not exist </pre> </div> </div> </div> </div> <footer
class="container"> <div class="web-footer row"> <div class="col-md-
12"> <!--<p style="float: right; clear: both;" id="website-login"><a
href="login"

null -- self._loadfromdb(doctype, name) File
"../lib/webnotes/model/doc.py", line 143, in _loadfromdb raise
webnotes.DoesNotExistError, '[WNF] %s %s does not exist' %
(self.doctype, self.name) DoesNotExistError: [WNF] Support Ticket
<script>_q_q=random()</script> does not exist </pre> </div> </div>
</div> </div> <footer class="container"> <div class="web-footer row">
<div class="col-md-12"> <!--<p style="float: right; clear: both;"
id="website-login"><a href="login">Login</a></p>--

SQL Injection Vulnerabilities :

Results :
1.

null -- Document(dt, dn, prefix=prefix) File
"../lib/webnotes/model/doc.py", line 84, in __init__
self._loadfromdb(doctype, name) File "../lib/webnotes/model/doc.py",
line 140, in _loadfromdb raise e ProgrammingError: (1064, 'You have an
error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near \');(function()
{qxss});//"\' at line 1') </pre> </div> </div> </div> </div> <footer
class="container"> <div class="web-foote

null -- Document(dt, dn, prefix=prefix) File
"../lib/webnotes/model/doc.py", line 84, in __init__
self._loadfromdb(doctype, name) File "../lib/webnotes/model/doc.py",
line 140, in _loadfromdb raise e ProgrammingError: (1064, 'You have an
error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near \');(function()
{qxss});//"\' at line 1') </pre> </div> </div> </div> </div> <footer
class="container"> <div class="web-foote

so i would like to know, is the security compromised on ERPNext ?? or is it safe from XSS and SQL Injections.

i also want to know, how the SQL injections were able to penetrate until the _loadfromdb and then a SQL Syntax error is generated, if the syntax would have been fully correct then it would have retreived the data ??

Thanks
Syed

rmehta · October 22, 2014, 7:10am

Thanks for testing this. Can you share in detail what tests did you run? We can fix this asap.

This still shows the injections failed.

sdqadeer44 · November 6, 2014, 6:32am

These tests were generated from QUALYS : https://www.qualys.com

Thanks
Syed

rmehta · November 6, 2014, 6:50am

It will help if you can share the full report. What you have shared is not very helpful.