Full Disclosure mailing list archives
[KIS-2020-08] openSIS <= 7.4 Multiple SQL Injection Vulnerabilities
From: Egidio Romano <research () karmainsecurity com>
Date: Tue, 30 Jun 2020 15:27:30 +0200
----------------------------------------------------- openSIS <= 7.4 Multiple SQL Injection Vulnerabilities ----------------------------------------------------- [-] Software Link: https://opensis.com/ [-] Affected Versions: Version 7.4 and prior versions. [-] Vulnerabilities Description:The application is affected by multiple SQL Injection vulnerabilities, following are some examples:
1) User input passed through the "api_key" and "api_secret" parameters to '/api/SchoolInfo.php', '/api/StaffInfo.php', and '/api/StudentEnrollmentInfo.php' is not properly sanitized before being used to construct a SQL query. This can be exploited by unauthenticated attackers to e.g. read sensitive data from the database through error-based SQL Injection attacks.
2) User input passed through the "event_id" parameter to '/CalendarModal.php' is not properly sanitized before being used to construct a SQL query. This can be exploited by remote attackers to e.g. read sensitive data from the database through in-band SQL Injection attacks.
3) User input passed through the "course_id" parameter to '/modules/scheduling/MassSchedule.php' is not properly sanitized before being used to construct a SQL query. This can be exploited by remote attackers to e.g. read sensitive data from the database through SQL Injection attacks.
4) User input passed through the "student" parameter to '/modules/attendance/AddAbsences.php' is not properly sanitized before being used to construct a SQL query. This can be exploited by remote attackers to e.g. read sensitive data from the database through SQL Injection attacks.
NOTE: certain SQL Injection vulnerabilities in openSIS - like (3) or (4) - could also be abused to execute arbitrary PHP code due to an unsafe use of the "eval()" PHP function within the "DBGet()" function defined in the '/functions/DbGetFnc.php' script.
[-] Solution: Upgrade to version 7.4 to remediate vulnerabilities (1) and (2).No official solution is currently available for the other vulnerabilities.
[-] Disclosure Timeline: [04/11/2019] - Vendor notified [04/11/2019] - Vendor acknowledgement [10/01/2020] - Vendor contacted again asking for updates [15/01/2020] - Vendor replied they would need a few examples[20/01/2020] - Told the vendor they could use the PoC I sent them in November [05/02/2020] - Vendor asked for a video recording to demonstrate the vulnerabilities
[06/02/2020] - Proof of Concept video sent to the vendor[06/02/2020] - Vendor informed about the correct fix for (1) and (2) with commit https://git.io/JJf4L [03/03/2020] - Vendor contacted again asking for updates about the other vulnerabilities
[04/03/2020] - Vendor replied "we just have to wait a little longer" [25/04/2020] - Version 7.4 released, vulnerabilities still not fixed [22/05/2020] - CVE numbers assigned [30/06/2020] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2020-13380 to vulnerabilities (1) and (2), and name CVE-2020-13381 for the other vulnerabilities. [-] Credits: Vulnerabilities discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2020-08 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- [KIS-2020-08] openSIS <= 7.4 Multiple SQL Injection Vulnerabilities Egidio Romano (Jun 30)