Re: SQL injection vulnerability in Talariax sendQuick Alertplus server admin version version 4.3

[refabrik sec <refabriksec () gmail com>]

With attachments

On Wed, Oct 6, 2021 at 12:48 AM refabrik sec <refabriksec () gmail com> wrote:

> Dear Fyodor,
>
> Resending this as requested.
>
> Dear Full Disclosure Team,
> > We are writing to submit a full disclosure for the following
> > vulnerability discovered for product Talariax sendQuick Alertplus server
> > admin version 4.3
> >
> >               title: SQL injection vulnerability in Talariax sendQuick Alertplus server admin version 4.3
> >             product: Talariax sendQuick Alertplus server admin
> >  vulnerable version: Patch no 8HF8
> >       fixed version: Patch no 8HF11
> >              impact: High
> >            homepage: https://www.talariax.com/ <https://www.moxa.com/>
> >               found: 2021-January
> >                  by: Jerry Toh (t.ghimhong () gmail com)
> >                      Edmund Ong (edmund.okx () gmail com)
> >
> > *Finding details:* SQL Injection in the web interface of Talariax
> > sendQuick Alertplus server admin allows an authenticated user to perform
> > error-based SQL injection via unsanitized form fields.
> >
> > *Affected URL:* /appliance/shiftmgn.php
> >
> > *Evidence* (see attached screenshots evidence*.jpeg)
> > We attached the following screenshots to evidence that:
> > (1) Vulnerability was discovered showing that there is an error message
> > which states that the SQL Syntax error after a single quotation mark was
> > appended upon the form submission causing an error message which is thrown
> > from the database
> > (2) Finding was subsequently verified as fixed after input validation was
> > implemented in the fields.
> >
> > *Proof of concept *
> > The following input fields were found to be vulnerable to SQL injection:
> > Navigate to "Roster Management" > Select Edit Roster > Day Selected > Input
> > fields "Roster Time". (see evidence-2.jpeg). The screenshot above shows
> > that there is an error message which states that the SQL Syntax error,
> > after a single quotation mark ('), is being appended upon the form
> > submission.
> >
> > *Remediation*
> > Although the patch (Patch no 8HF11) was tested to have fixed this but it
> > is recommended to use the latest product version/patches. Please approach
> > the vendor for the latest product patches.
> >
> >
> > *Disclosure details:*
> > - 2021/10/04 Contacted email for permission to disclose
> > - 2021/10/05 Vendor responded and approved for public disclosure
> > submission
> >
> > Regards,
> > Edmund
> >
> > ---------- Forwarded message ---------
> > From: Edmund Ong <edmund.okx () gmail com>
> > Date: Tue, Oct 5, 2021 at 8:05 PM
> > Subject: Fwd: Responsible disclosure of vulnerability in Talariax
> > sendQuick Alertplus server admin (patched)
> > To: <Refabriksec () gmail com>
> >
> >
> > For disclosure
> >
> > ---------- Forwarded message ---------
> > From: Edmund Ong <edmund.okx () gmail com>
> > Date: Tue, Oct 5, 2021 at 12:40 PM
> > Subject: Re: Responsible disclosure of vulnerability in Talariax
> > sendQuick Alertplus server admin (patched)
> > To: <jswong () talariax com>
> > Cc: <t.ghimhong () gmail com>
> >
> >
> > Dear JS,
> >
> > Many thanks for the positive response!
> >
> > Best regards,
> > Edmund
> >
> > On Tue, Oct 5, 2021, 12:31 PM JS Wong <jswong () talariax com> wrote:
> >
> > > Dear Edmund
> > >
> > > Hi! Thanks for informing us on the issue found. We are pleased to inform
> > > that we had fixed the issue in our patches and as long as customer update
> > > to the latest patches, the issue is resolved.
> > >
> > > If you wish to submit to public domain as CVE, we will not stop you from
> > > doing so.
> > >
> > > Thanks for informing us
> > >
> > > Regards
> > >
> > > JS
> > >
> > > On 4/10/2021 7:24 pm, Edmund Ong wrote:
> > >
> > > Dear Talariax,
> > >
> > > We discovered a SQL injection vulnerability on one of your product
> > > Talariax sendQuick Alertplus server admin during the period of Q4-2020 to
> > > Q1-2021.
> > >
> > > This commercial off-the-shelf product was used by one of our clients and
> > > they may or may not have reported this to you. The finding was subsequently
> > > addressed and finding was closed (as shown in the screenshots the affected
> > > patch no 8HF8, and the fix released was patch no 8HF11) although we do not
> > > have the specific product version that is affected but we have reason to
> > > believe that at that point of testing the product Talariax sendQuick
> > > Alertplus server admin version was version 4.3 (do correct us if this is
> > > wrong). We felt responsible to share this finding with you directly so that
> > > you could ensure this vulnerability would be (or had been) addressed in all
> > > subsequent releases.
> > >
> > > *Finding details:* SQL Injection in the web interface of Talariax
> > > sendQuick Alertplus server admin allows an authenticated user to perform
> > > error-based SQL injection via unsanitized form fields.
> > >
> > > *Affected URL:* /appliance/shiftmgn.php
> > >
> > > *Evidence* (see attached screenshots evidence*.jpeg)
> > > We attached the following screenshots to evidence that:
> > > (1) Vulnerability was discovered showing that there is an error message
> > > which states that the SQL Syntax error after a single quotation mark was
> > > appended upon the form submission causing an error message which is thrown
> > > from the database
> > > (2) Finding was subsequently verified as fixed after input validation
> > > was implemented in the fields.
> > >
> > > We would also like to seek your approval for us to perform responsible
> > > disclosure to the public of this information. The intention is to help
> > > potential victims gain knowledge and raise awareness that vulnerability
> > > exists, Talariax could also provide us a recommendation if you so please so
> > > that we could include in the writeup (e.g. such as to update to the latest
> > > patch and versions). Please note that if we don't hear from you within 14
> > > days, we will proceed to do full disclosure through
> > > https://nmap.org/mailman/listinfo/fulldisclosure.
> > >
> > > --
> > > Yours Sincerely,
> > > Edmund Ong
> > >
> > >
> > > --
> > > JS Wong (Mr.)
> > > TalariaX Pte Ltd
> > > 76 Playfair Road #08-01 LHK2
> > > Singapore 367996
> > > Tel: +65 62802881 Fax: +65 62806882
> > > Mobile: +65 96367680
> > > Web: http://www.talariax.com
> > >
> > > CONFIDENTIALITY NOTE: This email and any files transmitted with it is intended only for the use of the person(s)
> > > to whom it is addressed, and may contain information that is privileged, confidential and exempt from disclosure
> > > under applicable law. If you are not the intended recipient, please immediately notify the sender and delete
> > > the email. If you are not the intended recipient please do not disclose, copy, distribute or take any action in
> > > reliance on the contents of this e-mail. Thank you.
> >
> > --
> > Yours Sincerely,
> > Edmund Ong

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/