| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 30 Jun 2020 15:27:30 +0200 From: Egidio Romano <research@...mainsecurity.com> To: bugtraq@...urityfocus.com, Fulldisclosure <fulldisclosure@...lists.org> Subject: [FD] [KIS-2020-08] openSIS <= 7.4 Multiple SQL Injection Vulnerabilities ----------------------------------------------------- openSIS <= 7.4 Multiple SQL Injection Vulnerabilities ----------------------------------------------------- [-] Software Link: https://opensis.com/ [-] Affected Versions: Version 7.4 and prior versions. [-] Vulnerabilities Description: The application is affected by multiple SQL Injection vulnerabilities, following are some examples: 1) User input passed through the "api_key" and "api_secret" parameters to '/api/SchoolInfo.php', '/api/StaffInfo.php', and '/api/StudentEnrollmentInfo.php' is not properly sanitized before being used to construct a SQL query. This can be exploited by unauthenticated attackers to e.g. read sensitive data from the database through error-based SQL Injection attacks. 2) User input passed through the "event_id" parameter to '/CalendarModal.php' is not properly sanitized before being used to construct a SQL query. This can be exploited by remote attackers to e.g. read sensitive data from the database through in-band SQL Injection attacks. 3) User input passed through the "course_id" parameter to '/modules/scheduling/MassSchedule.php' is not properly sanitized before being used to construct a SQL query. This can be exploited by remote attackers to e.g. read sensitive data from the database through SQL Injection attacks. 4) User input passed through the "student" parameter to '/modules/attendance/AddAbsences.php' is not properly sanitized before being used to construct a SQL query. This can be exploited by remote attackers to e.g. read sensitive data from the database through SQL Injection attacks. NOTE: certain SQL Injection vulnerabilities in openSIS - like (3) or (4) - could also be abused to execute arbitrary PHP code due to an unsafe use of the "eval()" PHP function within the "DBGet()" function defined in the '/functions/DbGetFnc.php' script. [-] Solution: Upgrade to version 7.4 to remediate vulnerabilities (1) and (2). No official solution is currently available for the other vulnerabilities. [-] Disclosure Timeline: [04/11/2019] - Vendor notified [04/11/2019] - Vendor acknowledgement [10/01/2020] - Vendor contacted again asking for updates [15/01/2020] - Vendor replied they would need a few examples [20/01/2020] - Told the vendor they could use the PoC I sent them in November [05/02/2020] - Vendor asked for a video recording to demonstrate the vulnerabilities [06/02/2020] - Proof of Concept video sent to the vendor [06/02/2020] - Vendor informed about the correct fix for (1) and (2) with commit https://git.io/JJf4L [03/03/2020] - Vendor contacted again asking for updates about the other vulnerabilities [04/03/2020] - Vendor replied "we just have to wait a little longer" [25/04/2020] - Version 7.4 released, vulnerabilities still not fixed [22/05/2020] - CVE numbers assigned [30/06/2020] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2020-13380 to vulnerabilities (1) and (2), and name CVE-2020-13381 for the other vulnerabilities. [-] Credits: Vulnerabilities discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2020-08 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists