Business Logic Errors in yetiforcecompany/yetiforcecrm

Valid

Reported on

Dec 10th 2021


Description

The application is vulnerable to Business Logic error through negative product amount.

Proof of Concept

Step 1: Login into the application https://gitstable.yetiforce.com/index.php

Step 2: Navigate to Database -> Product -> Edit any product.

Step 3: Now enter a negative amount in Unit Price field and click on save. Here a product is added with a negative amount.

We are processing your report and will contact the yetiforcecompany/yetiforcecrm team within 24 hours. a month ago
We have contacted a member of the yetiforcecompany/yetiforcecrm team and are waiting to hear back a month ago
Radosław
a month ago

Maintainer


It's hard to say if this is an error or not. We have some clients who needed negative values in here. However, we do agree that the basic assumptions shouldn't allow negative values.

Devendra Bhatla
a month ago

Researcher


Yes this is business logic flaw as keeping a product in negative amount doesn't make any sense. Nobody manufacture a product without investing amount. Also, a product with negative amount can lead to financial loss while checkout and hence negative amount shouldn't be allowed and a minimum product amount value (Example : greater than 0 zł) should be set and validated at both client and server side.

PS: As per this application it is an error and you can validate the product amount.

Cheers

Radosław Skrzypczak validated this vulnerability a month ago
Devendra Bhatla has been awarded the disclosure bounty
The fix bounty is now up for grabs
Radosław Skrzypczak confirmed that a fix has been merged on c1ad71 a month ago
Radosław Skrzypczak has been awarded the fix bounty
KhanhCM
a month ago

Hey @dev696,

A real researcher will not just copy all the content from other reports. You should try to write your reports by yourself. What have you learned after reporting this vulnerability? Just earn the bounty or improve your skills in cybersecurity?

What a shame on you!

The maintainer should be aware of this person, he is not a researcher, he is a copier!

hi-unc1e
a month ago

What's up?

  1. https://huntr.dev/bounties/0b81e572-bdc9-4caf-aa02-81f3c7ad7c0a/
  2. https://huntr.dev/bounties/8afc8981-baff-4082-b640-be535b29eb9a/ These two reports seem to be dupe in some way, Can you please make a fair judgment?@admin
Mariusz
a month ago

Maintainer


In my opinion these are two different issues because they concern different fields and two validators (each field type has different validation rules) but a common data validation mechanism.

Bug fixed in 6.3.0_SecurityFix https://github.com/YetiForceCompany/UpdatePackages/tree/master/YetiForce%20CRM%206.x.x/6.3.0_SecurityFix/zip