Headline
CVE-2021-4111: Business Logic Errors in yetiforcecrm
yetiforcecrm is vulnerable to Business Logic Errors
Valid
Reported on
Dec 10th 2021
Description
The application is vulnerable to Business Logic error through negative product amount.
Proof of Concept
Step 1: Login into the application https://gitstable.yetiforce.com/index.php
Step 2: Navigate to Database -> Product -> Edit any product.
Step 3: Now enter a negative amount in Unit Price field and click on save. Here a product is added with a negative amount.
It’s hard to say if this is an error or not. We have some clients who needed negative values in here. However, we do agree that the basic assumptions shouldn’t allow negative values.
Yes this is business logic flaw as keeping a product in negative amount doesn’t make any sense. Nobody manufacture a product without investing amount. Also, a product with negative amount can lead to financial loss while checkout and hence negative amount shouldn’t be allowed and a minimum product amount value (Example : greater than 0 zł) should be set and validated at both client and server side.
PS: As per this application it is an error and you can validate the product amount.
Cheers
The fix bounty is now up for grabs
Hey @dev696,
A real researcher will not just copy all the content from other reports. You should try to write your reports by yourself. What have you learned after reporting this vulnerability? Just earn the bounty or improve your skills in cybersecurity?
What a shame on you!
The maintainer should be aware of this person, he is not a researcher, he is a copier!
What’s up?
- https://huntr.dev/bounties/0b81e572-bdc9-4caf-aa02-81f3c7ad7c0a/
- https://huntr.dev/bounties/8afc8981-baff-4082-b640-be535b29eb9a/ These two reports seem to be dupe in some way, Can you please make a fair judgment?@admin
In my opinion these are two different issues because they concern different fields and two validators (each field type has different validation rules) but a common data validation mechanism.
Bug fixed in 6.3.0_SecurityFix https://github.com/YetiForceCompany/UpdatePackages/tree/master/YetiForce%20CRM%206.x.x/6.3.0_SecurityFix/zip
to join this conversation
It’s hard to say if this is an error or not. We have some clients who needed negative values in here. However, we do agree that the basic assumptions shouldn’t allow negative values.
Yes this is business logic flaw as keeping a product in negative amount doesn’t make any sense. Nobody manufacture a product without investing amount. Also, a product with negative amount can lead to financial loss while checkout and hence negative amount shouldn’t be allowed and a minimum product amount value (Example : greater than 0 zł) should be set and validated at both client and server side.
PS: As per this application it is an error and you can validate the product amount.
Cheers
The fix bounty is now up for grabs
Hey @dev696,
A real researcher will not just copy all the content from other reports. You should try to write your reports by yourself. What have you learned after reporting this vulnerability? Just earn the bounty or improve your skills in cybersecurity?
What a shame on you!
The maintainer should be aware of this person, he is not a researcher, he is a copier!
What’s up?
- https://huntr.dev/bounties/0b81e572-bdc9-4caf-aa02-81f3c7ad7c0a/
- https://huntr.dev/bounties/8afc8981-baff-4082-b640-be535b29eb9a/ These two reports seem to be dupe in some way, Can you please make a fair judgment?@admin
In my opinion these are two different issues because they concern different fields and two validators (each field type has different validation rules) but a common data validation mechanism.
Bug fixed in 6.3.0_SecurityFix https://github.com/YetiForceCompany/UpdatePackages/tree/master/YetiForce%20CRM%206.x.x/6.3.0_SecurityFix/zip
to join this conversation