lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 6 Oct 2021 00:49:40 +0800 From: refabrik sec <refabriksec@...il.com> To: fulldisclosure@...lists.org Cc: Edmund Ong <edmund.okx@...il.com>, t.ghimhong@...il.com Subject: Re: [FD] SQL injection vulnerability in Talariax sendQuick Alertplus server admin version version 4.3 With attachments On Wed, Oct 6, 2021 at 12:48 AM refabrik sec <refabriksec@...il.com> wrote: > Dear Fyodor, > > Resending this as requested. > > Dear Full Disclosure Team, >> >> We are writing to submit a full disclosure for the following >> vulnerability discovered for product Talariax sendQuick Alertplus server >> admin version 4.3 >> >> title: SQL injection vulnerability in Talariax sendQuick Alertplus server admin version 4.3 >> product: Talariax sendQuick Alertplus server admin >> vulnerable version: Patch no 8HF8 >> fixed version: Patch no 8HF11 >> impact: High >> homepage: https://www.talariax.com/ <https://www.moxa.com/> >> found: 2021-January >> by: Jerry Toh (t.ghimhong@...il.com) >> Edmund Ong (edmund.okx@...il.com) >> >> *Finding details:* SQL Injection in the web interface of Talariax >> sendQuick Alertplus server admin allows an authenticated user to perform >> error-based SQL injection via unsanitized form fields. >> >> *Affected URL:* /appliance/shiftmgn.php >> >> *Evidence* (see attached screenshots evidence*.jpeg) >> We attached the following screenshots to evidence that: >> (1) Vulnerability was discovered showing that there is an error message >> which states that the SQL Syntax error after a single quotation mark was >> appended upon the form submission causing an error message which is thrown >> from the database >> (2) Finding was subsequently verified as fixed after input validation was >> implemented in the fields. >> >> *Proof of concept * >> The following input fields were found to be vulnerable to SQL injection: >> Navigate to "Roster Management" > Select Edit Roster > Day Selected > Input >> fields "Roster Time". (see evidence-2.jpeg). The screenshot above shows >> that there is an error message which states that the SQL Syntax error, >> after a single quotation mark ('), is being appended upon the form >> submission. >> >> *Remediation* >> Although the patch (Patch no 8HF11) was tested to have fixed this but it >> is recommended to use the latest product version/patches. Please approach >> the vendor for the latest product patches. >> >> >> *Disclosure details:* >> - 2021/10/04 Contacted email for permission to disclose >> - 2021/10/05 Vendor responded and approved for public disclosure >> submission >> >> Regards, >> Edmund >> >> ---------- Forwarded message --------- >> From: Edmund Ong <edmund.okx@...il.com> >> Date: Tue, Oct 5, 2021 at 8:05 PM >> Subject: Fwd: Responsible disclosure of vulnerability in Talariax >> sendQuick Alertplus server admin (patched) >> To: <Refabriksec@...il.com> >> >> >> For disclosure >> >> ---------- Forwarded message --------- >> From: Edmund Ong <edmund.okx@...il.com> >> Date: Tue, Oct 5, 2021 at 12:40 PM >> Subject: Re: Responsible disclosure of vulnerability in Talariax >> sendQuick Alertplus server admin (patched) >> To: <jswong@...ariax.com> >> Cc: <t.ghimhong@...il.com> >> >> >> Dear JS, >> >> Many thanks for the positive response! >> >> Best regards, >> Edmund >> >> On Tue, Oct 5, 2021, 12:31 PM JS Wong <jswong@...ariax.com> wrote: >> >>> Dear Edmund >>> >>> Hi! Thanks for informing us on the issue found. We are pleased to inform >>> that we had fixed the issue in our patches and as long as customer update >>> to the latest patches, the issue is resolved. >>> >>> If you wish to submit to public domain as CVE, we will not stop you from >>> doing so. >>> >>> Thanks for informing us >>> >>> Regards >>> >>> JS >>> >>> On 4/10/2021 7:24 pm, Edmund Ong wrote: >>> >>> Dear Talariax, >>> >>> We discovered a SQL injection vulnerability on one of your product >>> Talariax sendQuick Alertplus server admin during the period of Q4-2020 to >>> Q1-2021. >>> >>> This commercial off-the-shelf product was used by one of our clients and >>> they may or may not have reported this to you. The finding was subsequently >>> addressed and finding was closed (as shown in the screenshots the affected >>> patch no 8HF8, and the fix released was patch no 8HF11) although we do not >>> have the specific product version that is affected but we have reason to >>> believe that at that point of testing the product Talariax sendQuick >>> Alertplus server admin version was version 4.3 (do correct us if this is >>> wrong). We felt responsible to share this finding with you directly so that >>> you could ensure this vulnerability would be (or had been) addressed in all >>> subsequent releases. >>> >>> *Finding details:* SQL Injection in the web interface of Talariax >>> sendQuick Alertplus server admin allows an authenticated user to perform >>> error-based SQL injection via unsanitized form fields. >>> >>> *Affected URL:* /appliance/shiftmgn.php >>> >>> *Evidence* (see attached screenshots evidence*.jpeg) >>> We attached the following screenshots to evidence that: >>> (1) Vulnerability was discovered showing that there is an error message >>> which states that the SQL Syntax error after a single quotation mark was >>> appended upon the form submission causing an error message which is thrown >>> from the database >>> (2) Finding was subsequently verified as fixed after input validation >>> was implemented in the fields. >>> >>> We would also like to seek your approval for us to perform responsible >>> disclosure to the public of this information. The intention is to help >>> potential victims gain knowledge and raise awareness that vulnerability >>> exists, Talariax could also provide us a recommendation if you so please so >>> that we could include in the writeup (e.g. such as to update to the latest >>> patch and versions). Please note that if we don't hear from you within 14 >>> days, we will proceed to do full disclosure through >>> https://nmap.org/mailman/listinfo/fulldisclosure. >>> >>> -- >>> Yours Sincerely, >>> Edmund Ong >>> >>> >>> -- >>> JS Wong (Mr.) >>> TalariaX Pte Ltd >>> 76 Playfair Road #08-01 LHK2 >>> Singapore 367996 >>> Tel: +65 62802881 Fax: +65 62806882 >>> Mobile: +65 96367680 >>> Web: http://www.talariax.com >>> >>> CONFIDENTIALITY NOTE: This email and any files transmitted with it is intended only for the use of the person(s) >>> to whom it is addressed, and may contain information that is privileged, confidential and exempt from disclosure >>> under applicable law. If you are not the intended recipient, please immediately notify the sender and delete >>> the email. If you are not the intended recipient please do not disclose, copy, distribute or take any action in >>> reliance on the contents of this e-mail. Thank you. >>> >>> >> >> -- >> Yours Sincerely, >> Edmund Ong >> > Download attachment "evidence-1.jpeg" of type "image/jpeg" (57355 bytes) Download attachment "evidence-2.jpeg" of type "image/jpeg" (99531 bytes) Download attachment "patched-version.jpeg" of type "image/jpeg" (192976 bytes) Download attachment "vulnerable-version.jpeg" of type "image/jpeg" (85842 bytes) _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists