[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CA+sGOP1cUTsoQTZaURKinDYJEbP0iMSan00q3uPS2qmBTycGbQ@mail.gmail.com>
Date: Wed, 6 Oct 2021 00:49:40 +0800
From: refabrik sec <refabriksec@...il.com>
To: fulldisclosure@...lists.org
Cc: Edmund Ong <edmund.okx@...il.com>, t.ghimhong@...il.com
Subject: Re: [FD] SQL injection vulnerability in Talariax sendQuick
Alertplus server admin version version 4.3
With attachments
On Wed, Oct 6, 2021 at 12:48 AM refabrik sec <refabriksec@...il.com> wrote:
> Dear Fyodor,
>
> Resending this as requested.
>
> Dear Full Disclosure Team,
>>
>> We are writing to submit a full disclosure for the following
>> vulnerability discovered for product Talariax sendQuick Alertplus server
>> admin version 4.3
>>
>> title: SQL injection vulnerability in Talariax sendQuick Alertplus server admin version 4.3
>> product: Talariax sendQuick Alertplus server admin
>> vulnerable version: Patch no 8HF8
>> fixed version: Patch no 8HF11
>> impact: High
>> homepage: https://www.talariax.com/ <https://www.moxa.com/>
>> found: 2021-January
>> by: Jerry Toh (t.ghimhong@...il.com)
>> Edmund Ong (edmund.okx@...il.com)
>>
>> *Finding details:* SQL Injection in the web interface of Talariax
>> sendQuick Alertplus server admin allows an authenticated user to perform
>> error-based SQL injection via unsanitized form fields.
>>
>> *Affected URL:* /appliance/shiftmgn.php
>>
>> *Evidence* (see attached screenshots evidence*.jpeg)
>> We attached the following screenshots to evidence that:
>> (1) Vulnerability was discovered showing that there is an error message
>> which states that the SQL Syntax error after a single quotation mark was
>> appended upon the form submission causing an error message which is thrown
>> from the database
>> (2) Finding was subsequently verified as fixed after input validation was
>> implemented in the fields.
>>
>> *Proof of concept *
>> The following input fields were found to be vulnerable to SQL injection:
>> Navigate to "Roster Management" > Select Edit Roster > Day Selected > Input
>> fields "Roster Time". (see evidence-2.jpeg). The screenshot above shows
>> that there is an error message which states that the SQL Syntax error,
>> after a single quotation mark ('), is being appended upon the form
>> submission.
>>
>> *Remediation*
>> Although the patch (Patch no 8HF11) was tested to have fixed this but it
>> is recommended to use the latest product version/patches. Please approach
>> the vendor for the latest product patches.
>>
>>
>> *Disclosure details:*
>> - 2021/10/04 Contacted email for permission to disclose
>> - 2021/10/05 Vendor responded and approved for public disclosure
>> submission
>>
>> Regards,
>> Edmund
>>
>> ---------- Forwarded message ---------
>> From: Edmund Ong <edmund.okx@...il.com>
>> Date: Tue, Oct 5, 2021 at 8:05 PM
>> Subject: Fwd: Responsible disclosure of vulnerability in Talariax
>> sendQuick Alertplus server admin (patched)
>> To: <Refabriksec@...il.com>
>>
>>
>> For disclosure
>>
>> ---------- Forwarded message ---------
>> From: Edmund Ong <edmund.okx@...il.com>
>> Date: Tue, Oct 5, 2021 at 12:40 PM
>> Subject: Re: Responsible disclosure of vulnerability in Talariax
>> sendQuick Alertplus server admin (patched)
>> To: <jswong@...ariax.com>
>> Cc: <t.ghimhong@...il.com>
>>
>>
>> Dear JS,
>>
>> Many thanks for the positive response!
>>
>> Best regards,
>> Edmund
>>
>> On Tue, Oct 5, 2021, 12:31 PM JS Wong <jswong@...ariax.com> wrote:
>>
>>> Dear Edmund
>>>
>>> Hi! Thanks for informing us on the issue found. We are pleased to inform
>>> that we had fixed the issue in our patches and as long as customer update
>>> to the latest patches, the issue is resolved.
>>>
>>> If you wish to submit to public domain as CVE, we will not stop you from
>>> doing so.
>>>
>>> Thanks for informing us
>>>
>>> Regards
>>>
>>> JS
>>>
>>> On 4/10/2021 7:24 pm, Edmund Ong wrote:
>>>
>>> Dear Talariax,
>>>
>>> We discovered a SQL injection vulnerability on one of your product
>>> Talariax sendQuick Alertplus server admin during the period of Q4-2020 to
>>> Q1-2021.
>>>
>>> This commercial off-the-shelf product was used by one of our clients and
>>> they may or may not have reported this to you. The finding was subsequently
>>> addressed and finding was closed (as shown in the screenshots the affected
>>> patch no 8HF8, and the fix released was patch no 8HF11) although we do not
>>> have the specific product version that is affected but we have reason to
>>> believe that at that point of testing the product Talariax sendQuick
>>> Alertplus server admin version was version 4.3 (do correct us if this is
>>> wrong). We felt responsible to share this finding with you directly so that
>>> you could ensure this vulnerability would be (or had been) addressed in all
>>> subsequent releases.
>>>
>>> *Finding details:* SQL Injection in the web interface of Talariax
>>> sendQuick Alertplus server admin allows an authenticated user to perform
>>> error-based SQL injection via unsanitized form fields.
>>>
>>> *Affected URL:* /appliance/shiftmgn.php
>>>
>>> *Evidence* (see attached screenshots evidence*.jpeg)
>>> We attached the following screenshots to evidence that:
>>> (1) Vulnerability was discovered showing that there is an error message
>>> which states that the SQL Syntax error after a single quotation mark was
>>> appended upon the form submission causing an error message which is thrown
>>> from the database
>>> (2) Finding was subsequently verified as fixed after input validation
>>> was implemented in the fields.
>>>
>>> We would also like to seek your approval for us to perform responsible
>>> disclosure to the public of this information. The intention is to help
>>> potential victims gain knowledge and raise awareness that vulnerability
>>> exists, Talariax could also provide us a recommendation if you so please so
>>> that we could include in the writeup (e.g. such as to update to the latest
>>> patch and versions). Please note that if we don't hear from you within 14
>>> days, we will proceed to do full disclosure through
>>> https://nmap.org/mailman/listinfo/fulldisclosure.
>>>
>>> --
>>> Yours Sincerely,
>>> Edmund Ong
>>>
>>>
>>> --
>>> JS Wong (Mr.)
>>> TalariaX Pte Ltd
>>> 76 Playfair Road #08-01 LHK2
>>> Singapore 367996
>>> Tel: +65 62802881 Fax: +65 62806882
>>> Mobile: +65 96367680
>>> Web: http://www.talariax.com
>>>
>>> CONFIDENTIALITY NOTE: This email and any files transmitted with it is intended only for the use of the person(s)
>>> to whom it is addressed, and may contain information that is privileged, confidential and exempt from disclosure
>>> under applicable law. If you are not the intended recipient, please immediately notify the sender and delete
>>> the email. If you are not the intended recipient please do not disclose, copy, distribute or take any action in
>>> reliance on the contents of this e-mail. Thank you.
>>>
>>>
>>
>> --
>> Yours Sincerely,
>> Edmund Ong
>>
>
Download attachment "evidence-1.jpeg" of type "image/jpeg" (57355 bytes)
Download attachment "evidence-2.jpeg" of type "image/jpeg" (99531 bytes)
Download attachment "patched-version.jpeg" of type "image/jpeg" (192976 bytes)
Download attachment "vulnerable-version.jpeg" of type "image/jpeg" (85842 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists