Full Disclosure mailing list archives
Re: SQL injection vulnerability in Talariax sendQuick Alertplus server admin version version 4.3
From: refabrik sec <refabriksec () gmail com>
Date: Wed, 6 Oct 2021 00:49:40 +0800
With attachments On Wed, Oct 6, 2021 at 12:48 AM refabrik sec <refabriksec () gmail com> wrote:
Dear Fyodor, Resending this as requested. Dear Full Disclosure Team,We are writing to submit a full disclosure for the following vulnerability discovered for product Talariax sendQuick Alertplus server admin version 4.3 title: SQL injection vulnerability in Talariax sendQuick Alertplus server admin version 4.3 product: Talariax sendQuick Alertplus server admin vulnerable version: Patch no 8HF8 fixed version: Patch no 8HF11 impact: High homepage: https://www.talariax.com/ <https://www.moxa.com/> found: 2021-January by: Jerry Toh (t.ghimhong () gmail com) Edmund Ong (edmund.okx () gmail com) *Finding details:* SQL Injection in the web interface of Talariax sendQuick Alertplus server admin allows an authenticated user to perform error-based SQL injection via unsanitized form fields. *Affected URL:* /appliance/shiftmgn.php *Evidence* (see attached screenshots evidence*.jpeg) We attached the following screenshots to evidence that: (1) Vulnerability was discovered showing that there is an error message which states that the SQL Syntax error after a single quotation mark was appended upon the form submission causing an error message which is thrown from the database (2) Finding was subsequently verified as fixed after input validation was implemented in the fields. *Proof of concept * The following input fields were found to be vulnerable to SQL injection: Navigate to "Roster Management" > Select Edit Roster > Day Selected > Input fields "Roster Time". (see evidence-2.jpeg). The screenshot above shows that there is an error message which states that the SQL Syntax error, after a single quotation mark ('), is being appended upon the form submission. *Remediation* Although the patch (Patch no 8HF11) was tested to have fixed this but it is recommended to use the latest product version/patches. Please approach the vendor for the latest product patches. *Disclosure details:* - 2021/10/04 Contacted email for permission to disclose - 2021/10/05 Vendor responded and approved for public disclosure submission Regards, Edmund ---------- Forwarded message --------- From: Edmund Ong <edmund.okx () gmail com> Date: Tue, Oct 5, 2021 at 8:05 PM Subject: Fwd: Responsible disclosure of vulnerability in Talariax sendQuick Alertplus server admin (patched) To: <Refabriksec () gmail com> For disclosure ---------- Forwarded message --------- From: Edmund Ong <edmund.okx () gmail com> Date: Tue, Oct 5, 2021 at 12:40 PM Subject: Re: Responsible disclosure of vulnerability in Talariax sendQuick Alertplus server admin (patched) To: <jswong () talariax com> Cc: <t.ghimhong () gmail com> Dear JS, Many thanks for the positive response! Best regards, Edmund On Tue, Oct 5, 2021, 12:31 PM JS Wong <jswong () talariax com> wrote:Dear Edmund Hi! Thanks for informing us on the issue found. We are pleased to inform that we had fixed the issue in our patches and as long as customer update to the latest patches, the issue is resolved. If you wish to submit to public domain as CVE, we will not stop you from doing so. Thanks for informing us Regards JS On 4/10/2021 7:24 pm, Edmund Ong wrote: Dear Talariax, We discovered a SQL injection vulnerability on one of your product Talariax sendQuick Alertplus server admin during the period of Q4-2020 to Q1-2021. This commercial off-the-shelf product was used by one of our clients and they may or may not have reported this to you. The finding was subsequently addressed and finding was closed (as shown in the screenshots the affected patch no 8HF8, and the fix released was patch no 8HF11) although we do not have the specific product version that is affected but we have reason to believe that at that point of testing the product Talariax sendQuick Alertplus server admin version was version 4.3 (do correct us if this is wrong). We felt responsible to share this finding with you directly so that you could ensure this vulnerability would be (or had been) addressed in all subsequent releases. *Finding details:* SQL Injection in the web interface of Talariax sendQuick Alertplus server admin allows an authenticated user to perform error-based SQL injection via unsanitized form fields. *Affected URL:* /appliance/shiftmgn.php *Evidence* (see attached screenshots evidence*.jpeg) We attached the following screenshots to evidence that: (1) Vulnerability was discovered showing that there is an error message which states that the SQL Syntax error after a single quotation mark was appended upon the form submission causing an error message which is thrown from the database (2) Finding was subsequently verified as fixed after input validation was implemented in the fields. We would also like to seek your approval for us to perform responsible disclosure to the public of this information. The intention is to help potential victims gain knowledge and raise awareness that vulnerability exists, Talariax could also provide us a recommendation if you so please so that we could include in the writeup (e.g. such as to update to the latest patch and versions). Please note that if we don't hear from you within 14 days, we will proceed to do full disclosure through https://nmap.org/mailman/listinfo/fulldisclosure. -- Yours Sincerely, Edmund Ong -- JS Wong (Mr.) TalariaX Pte Ltd 76 Playfair Road #08-01 LHK2 Singapore 367996 Tel: +65 62802881 Fax: +65 62806882 Mobile: +65 96367680 Web: http://www.talariax.com CONFIDENTIALITY NOTE: This email and any files transmitted with it is intended only for the use of the person(s) to whom it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, please immediately notify the sender and delete the email. If you are not the intended recipient please do not disclose, copy, distribute or take any action in reliance on the contents of this e-mail. Thank you.-- Yours Sincerely, Edmund Ong
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: SQL injection vulnerability in Talariax sendQuick Alertplus server admin version version 4.3 refabrik sec (Oct 05)