openSIS 7.4 SQL Injection

2020.07.01
Credit: EgiX
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89

----------------------------------------------------- openSIS <= 7.4 Multiple SQL Injection Vulnerabilities ----------------------------------------------------- [-] Software Link: https://opensis.com/ [-] Affected Versions: Version 7.4 and prior versions. [-] Vulnerabilities Description: The application is affected by multiple SQL Injection vulnerabilities, following are some examples: 1) User input passed through the "api_key" and "api_secret" parameters to '/api/SchoolInfo.php', '/api/StaffInfo.php', and '/api/StudentEnrollmentInfo.php' is not properly sanitized before being used to construct a SQL query. This can be exploited by unauthenticated attackers to e.g. read sensitive data from the database through error-based SQL Injection attacks. 2) User input passed through the "event_id" parameter to '/CalendarModal.php' is not properly sanitized before being used to construct a SQL query. This can be exploited by remote attackers to e.g. read sensitive data from the database through in-band SQL Injection attacks. 3) User input passed through the "course_id" parameter to '/modules/scheduling/MassSchedule.php' is not properly sanitized before being used to construct a SQL query. This can be exploited by remote attackers to e.g. read sensitive data from the database through SQL Injection attacks. 4) User input passed through the "student" parameter to '/modules/attendance/AddAbsences.php' is not properly sanitized before being used to construct a SQL query. This can be exploited by remote attackers to e.g. read sensitive data from the database through SQL Injection attacks. NOTE: certain SQL Injection vulnerabilities in openSIS - like (3) or (4) - could also be abused to execute arbitrary PHP code due to an unsafe use of the "eval()" PHP function within the "DBGet()" function defined in the '/functions/DbGetFnc.php' script. [-] Solution: Upgrade to version 7.4 to remediate vulnerabilities (1) and (2). No official solution is currently available for the other vulnerabilities. [-] Disclosure Timeline: [04/11/2019] - Vendor notified [04/11/2019] - Vendor acknowledgement [10/01/2020] - Vendor contacted again asking for updates [15/01/2020] - Vendor replied they would need a few examples [20/01/2020] - Told the vendor they could use the PoC I sent them in November [05/02/2020] - Vendor asked for a video recording to demonstrate the vulnerabilities [06/02/2020] - Proof of Concept video sent to the vendor [06/02/2020] - Vendor informed about the correct fix for (1) and (2) with commit https://git.io/JJf4L [03/03/2020] - Vendor contacted again asking for updates about the other vulnerabilities [04/03/2020] - Vendor replied "we just have to wait a little longer" [25/04/2020] - Version 7.4 released, vulnerabilities still not fixed [22/05/2020] - CVE numbers assigned [30/06/2020] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2020-13380 to vulnerabilities (1) and (2), and name CVE-2020-13381 for the other vulnerabilities. [-] Credits: Vulnerabilities discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2020-08


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top