Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

[KIS-2020-06] openSIS <= 7.4 Incorrect Access Control Vulnerabilities

Related Vulnerabilities: CVE-2020-13382  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="31"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#32">By Date</a>
<a href="33"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="31"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#32">By Thread</a>
<a href="33"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">[KIS-2020-06] openSIS &lt;= 7.4 Incorrect Access Control	Vulnerabilities</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Egidio Romano &lt;research () karmainsecurity com&gt;


<em>Date</em>: Tue, 30 Jun 2020 15:25:06 +0200


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">-------------------------------------------------------
openSIS &lt;= 7.4 Incorrect Access Control Vulnerabilities
-------------------------------------------------------


[-] Software Link:

<a rel="nofollow" href="https://opensis.com/">https://opensis.com/</a>


[-] Affected Versions:

Version 7.4 and prior versions.


[-] Vulnerabilities Description:

</pre><tt>The application prevents unauthenticated access to its functionalities 
</tt><tt>by including
</tt><tt>the 'RedirectIncludes.php', 'RedirectModules.php', and 
</tt><tt>'RedirectRootInc.php' scripts,
</tt><pre style="margin: 0em;">which implement the access control logic by using the following code:

</pre><tt>if(!$_SESSION['STAFF_ID'] &amp;&amp; !$_SESSION['STUDENT_ID'] &amp;&amp; 
</tt><tt>strpos($_SERVER['PHP_SELF'],'index.php')===false)
</tt><pre style="margin: 0em;">{
    header('Location: ../../../index.php');
    exit;
}

</pre><tt>This can be easily bypassed by appending /index.php at the end of the 
</tt><tt>URL, and can
</tt><tt>be exploited by unauthenticated attackers to potentially access any 
</tt><tt>application
</tt><pre style="margin: 0em;">functionality which should require the user to be authenticated.


[-] Solution:

No official solution is currently available.


[-] Disclosure Timeline:

[04/11/2019] - Vendor notified
[04/11/2019] - Vendor acknowledgement
[10/01/2020] - Vendor contacted again asking for updates
[15/01/2020] - Vendor replied they would need a few examples
</pre><tt>[20/01/2020] - Told the vendor they could use the PoC I sent them in 
</tt><tt>November
</tt><tt>[05/02/2020] - Vendor asked for a video recording to demonstrate the 
</tt><tt>vulnerabilities
</tt><pre style="margin: 0em;">[06/02/2020] - Proof of Concept video sent to the vendor
[03/03/2020] - Vendor contacted again asking for updates
[04/03/2020] - Vendor replied "we just have to wait a little longer"
[25/04/2020] - Version 7.4 released, vulnerabilities still not fixed
[22/05/2020] - CVE number assigned
[30/06/2020] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2020-13382 to these vulnerabilities.


[-] Credits:

Vulnerabilities discovered by Egidio Romano.


[-] Original Advisory:

<a rel="nofollow" href="http://karmainsecurity.com/KIS-2020-06">http://karmainsecurity.com/KIS-2020-06</a>

_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a>

</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="31"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#32">By Date</a>
<a href="33"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="31"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#32">By Thread</a>
<a href="33"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>[KIS-2020-06] openSIS &lt;= 7.4 Incorrect Access Control	Vulnerabilities</strong> <em>Egidio Romano (Jun 30)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started