Business Logic Errors in yetiforcecompany/yetiforcecrm

Valid

Reported on

Dec 10th 2021


Description

The application is vulnerable to Business Logic error through negative product amount.

Proof of Concept

Step 1: Login into the application https://gitstable.yetiforce.com/index.php

Step 2: Navigate to Database -> Product -> Edit any product.

Step 3: Now enter a negative amount in Unit Price field and click on save. Here a product is added with a negative amount.

We are processing your report and will contact the yetiforcecompany/yetiforcecrm team within 24 hours. a year ago
We have contacted a member of the yetiforcecompany/yetiforcecrm team and are waiting to hear back a year ago
Radosław
a year ago

Maintainer


It's hard to say if this is an error or not. We have some clients who needed negative values in here. However, we do agree that the basic assumptions shouldn't allow negative values.

Devendra Bhatla
a year ago

Researcher


Yes this is business logic flaw as keeping a product in negative amount doesn't make any sense. Nobody manufacture a product without investing amount. Also, a product with negative amount can lead to financial loss while checkout and hence negative amount shouldn't be allowed and a minimum product amount value (Example : greater than 0 zł) should be set and validated at both client and server side.

PS: As per this application it is an error and you can validate the product amount.

Cheers

Radosław Skrzypczak validated this vulnerability a year ago
Devendra Bhatla has been awarded the disclosure bounty
The fix bounty is now up for grabs
Radosław Skrzypczak marked this as fixed in 6.4.0 with commit c1ad71 a year ago
Radosław Skrzypczak has been awarded the fix bounty
This vulnerability will not receive a CVE
KhanhCM
a year ago

Hey @dev696,

A real researcher will not just copy all the content from other reports. You should try to write your reports by yourself. What have you learned after reporting this vulnerability? Just earn the bounty or improve your skills in cybersecurity?

What a shame on you!

The maintainer should be aware of this person, he is not a researcher, he is a copier!

hi-unc1e
a year ago

What's up?

  1. https://huntr.dev/bounties/0b81e572-bdc9-4caf-aa02-81f3c7ad7c0a/
  2. https://huntr.dev/bounties/8afc8981-baff-4082-b640-be535b29eb9a/ These two reports seem to be dupe in some way, Can you please make a fair judgment?@admin
Mariusz
a year ago

Maintainer


In my opinion these are two different issues because they concern different fields and two validators (each field type has different validation rules) but a common data validation mechanism.

Bug fixed in 6.3.0_SecurityFix https://github.com/YetiForceCompany/UpdatePackages/tree/master/YetiForce%20CRM%206.x.x/6.3.0_SecurityFix/zip

to join this conversation