[KIS-2020-08] openSIS <= 7.4 Multiple SQL Injection Vulnerabilities

fulldisclosure logo Full Disclosure mailing list archives

  By Date           By Thread        

[KIS-2020-08] openSIS <= 7.4 Multiple SQL Injection Vulnerabilities


From: Egidio Romano <research () karmainsecurity com>
Date: Tue, 30 Jun 2020 15:27:30 +0200


-----------------------------------------------------
openSIS <= 7.4 Multiple SQL Injection Vulnerabilities
----------------------------------------------------- [-] Software Link: https://opensis.com/ [-] Affected Versions: Version 7.4 and prior versions. [-] Vulnerabilities Description: 

The application is affected by multiple SQL Injection vulnerabilities, following are some examples:

 

1) User input passed through the "api_key" and "api_secret" parameters to '/api/SchoolInfo.php', '/api/StaffInfo.php', and '/api/StudentEnrollmentInfo.php' is not properly sanitized before being used to construct a SQL query. This can be exploited by unauthenticated attackers to e.g. read sensitive data from the database through error-based SQL Injection attacks.

 

2) User input passed through the "event_id" parameter to '/CalendarModal.php' is not properly sanitized before being used to construct a SQL query. This can be exploited by remote attackers to e.g. read sensitive data from the database through in-band SQL Injection attacks.

 

3) User input passed through the "course_id" parameter to '/modules/scheduling/MassSchedule.php' is not properly sanitized before being used to construct a SQL query. This can be exploited by remote attackers to e.g. read sensitive data from the database through SQL Injection attacks.

 

4) User input passed through the "student" parameter to '/modules/attendance/AddAbsences.php' is not properly sanitized before being used to construct a SQL query. This can be exploited by remote attackers to e.g. read sensitive data from the database through SQL Injection attacks.

 

NOTE: certain SQL Injection vulnerabilities in openSIS - like (3) or (4) - could also be abused to execute arbitrary PHP code due to an unsafe use of the "eval()" PHP function within the "DBGet()" function defined in the '/functions/DbGetFnc.php' script.

 [-] Solution: Upgrade to version 7.4 to remediate vulnerabilities (1) and (2).

No official solution is currently available for the other vulnerabilities.

 [-] Disclosure Timeline: [04/11/2019] - Vendor notified
[04/11/2019] - Vendor acknowledgement
[10/01/2020] - Vendor contacted again asking for updates
[15/01/2020] - Vendor replied they would need a few examples

[20/01/2020] - Told the vendor they could use the PoC I sent them in November [05/02/2020] - Vendor asked for a video recording to demonstrate the vulnerabilities

[06/02/2020] - Proof of Concept video sent to the vendor

[06/02/2020] - Vendor informed about the correct fix for (1) and (2) with commit https://git.io/JJf4L [03/03/2020] - Vendor contacted again asking for updates about the other vulnerabilities

[04/03/2020] - Vendor replied "we just have to wait a little longer"
[25/04/2020] - Version 7.4 released, vulnerabilities still not fixed
[22/05/2020] - CVE numbers assigned
[30/06/2020] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2020-13380 to vulnerabilities (1) and (2),
and name CVE-2020-13381 for the other vulnerabilities. [-] Credits: Vulnerabilities discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2020-08 _______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/ 

  By Date           By Thread  

Current thread:

  • [KIS-2020-08] openSIS <= 7.4 Multiple SQL Injection Vulnerabilities Egidio Romano (Jun 30)

Follow me for more information.

Uncategorized

Questions or Comments?

Product categories

Post

July 2020
SMTWTFS
 1234
567891011
12131415161718
19202122232425
262728293031 
X