← Advisories

eCardMAX 10.5 Multiple Vulnerabilities

High
Advisory ID
ZSL-2016-5336
Release Date
01 July 2016
Vendor
eCardMAX.COM - http://www.ecardmax.com
Affected Version
10.5
CVE
N/A
Tested On
Apache/2.2.26, PHP/5.3.28, MySQL/5.5.49-cll
Summary

eCardMax is the most trusted, powerful and dynamic online ecard software solution. It enables you to create your own ecard website with many of the advanced features found on other major sites. Starting your own ecard website with eCardMax is fast and easy.

Description

eCardMAX suffers from a SQL Injection vulnerability. Input passed via the 'row_number' GET parameter is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Multiple cross-site scripting vulnerabilities were also discovered. The issue is triggered when input passed via multiple parameters is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Proof of Concept
ecardmax_mv.txtTXT
Disclosure Timeline
13.06.2016Vulnerability discovered.
13.06.2016First contact with vendor.
13.06.2016Vendor responds asking for details.
14.06.2016Vulnerability details sent to the vendor.
17.06.2016Vendor working on a patch.
28.06.2016Vendor releases patch.
01.07.2016Public security advisory released.
Credits
Vulnerability discovered by Bikramaditya Guha
References
[1]https://www.exploit-db.com/exploits/40058/
[2]https://cxsecurity.com/issue/WLB-2016070016
[3]https://packetstormsecurity.com/files/137764
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/114732
[5]https://exchange.xforce.ibmcloud.com/vulnerabilities/114734
Changelog
01.07.2016Initial release
04.07.2016Added reference [1] and [2]
06.07.2016Added reference [3]
18.07.2016Added reference [4] and [5]