Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

[KIS-2020-08] openSIS <= 7.4 Multiple SQL Injection Vulnerabilities

Related Vulnerabilities: CVE-2020-13380   CVE-2020-13381  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="33"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#34">By Date</a>
<a href=""><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="33"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#34">By Thread</a>
<a href=""><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">[KIS-2020-08] openSIS &lt;= 7.4 Multiple SQL Injection	Vulnerabilities</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Egidio Romano &lt;research () karmainsecurity com&gt;


<em>Date</em>: Tue, 30 Jun 2020 15:27:30 +0200


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">-----------------------------------------------------
openSIS &lt;= 7.4 Multiple SQL Injection Vulnerabilities
-----------------------------------------------------


[-] Software Link:

<a rel="nofollow" href="https://opensis.com/">https://opensis.com/</a>


[-] Affected Versions:

Version 7.4 and prior versions.


[-] Vulnerabilities Description:

</pre><tt>The application is affected by multiple SQL Injection vulnerabilities, 
</tt><tt>following are some examples:
</tt><pre style="margin: 0em;">
</pre><tt>1) User input passed through the "api_key" and "api_secret" parameters 
</tt><tt>to '/api/SchoolInfo.php',
</tt><tt>'/api/StaffInfo.php', and '/api/StudentEnrollmentInfo.php' is not 
</tt><tt>properly sanitized before being
</tt><tt>used to construct a SQL query. This can be exploited by unauthenticated 
</tt><tt>attackers to e.g. read
</tt><tt>sensitive data from the database through error-based SQL Injection 
</tt><tt>attacks.
</tt><pre style="margin: 0em;">
</pre><tt>2) User input passed through the "event_id" parameter to 
</tt><tt>'/CalendarModal.php' is not properly
</tt><tt>sanitized before being used to construct a SQL query. This can be 
</tt><tt>exploited by remote attackers
</tt><tt>to e.g. read sensitive data from the database through in-band SQL 
</tt><tt>Injection attacks.
</tt><pre style="margin: 0em;">
</pre><tt>3) User input passed through the "course_id" parameter to 
</tt><tt>'/modules/scheduling/MassSchedule.php'
</tt><tt>is not properly sanitized before being used to construct a SQL query. 
</tt><tt>This can be exploited by
</tt><tt>remote attackers to e.g. read sensitive data from the database through 
</tt><tt>SQL Injection attacks.
</tt><pre style="margin: 0em;">
</pre><tt>4) User input passed through the "student" parameter to 
</tt><tt>'/modules/attendance/AddAbsences.php'
</tt><tt>is not properly sanitized before being used to construct a SQL query. 
</tt><tt>This can be exploited by
</tt><tt>remote attackers to e.g. read sensitive data from the database through 
</tt><tt>SQL Injection attacks.
</tt><pre style="margin: 0em;">
</pre><tt>NOTE: certain SQL Injection vulnerabilities in openSIS - like (3) or (4) 
</tt><tt>- could also be
</tt><tt>abused to execute arbitrary PHP code due to an unsafe use of the 
</tt><tt>"eval()" PHP function
</tt><tt>within the "DBGet()" function defined in the '/functions/DbGetFnc.php' 
</tt><tt>script.
</tt><pre style="margin: 0em;">

[-] Solution:

Upgrade to version 7.4 to remediate vulnerabilities (1) and (2).
</pre><tt>No official solution is currently available for the other 
</tt><tt>vulnerabilities.
</tt><pre style="margin: 0em;">

[-] Disclosure Timeline:

[04/11/2019] - Vendor notified
[04/11/2019] - Vendor acknowledgement
[10/01/2020] - Vendor contacted again asking for updates
[15/01/2020] - Vendor replied they would need a few examples
</pre><tt>[20/01/2020] - Told the vendor they could use the PoC I sent them in 
</tt><tt>November
</tt><tt>[05/02/2020] - Vendor asked for a video recording to demonstrate the 
</tt><tt>vulnerabilities
</tt><pre style="margin: 0em;">[06/02/2020] - Proof of Concept video sent to the vendor
</pre><tt>[06/02/2020] - Vendor informed about the correct fix for (1) and (2) 
</tt><tt>with commit <a rel="nofollow" href="https://git.io/JJf4L">https://git.io/JJf4L</a>
</tt><tt>[03/03/2020] - Vendor contacted again asking for updates about the other 
</tt><tt>vulnerabilities
</tt><pre style="margin: 0em;">[04/03/2020] - Vendor replied "we just have to wait a little longer"
[25/04/2020] - Version 7.4 released, vulnerabilities still not fixed
[22/05/2020] - CVE numbers assigned
[30/06/2020] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2020-13380 to vulnerabilities (1) and (2),
and name CVE-2020-13381 for the other vulnerabilities.


[-] Credits:

Vulnerabilities discovered by Egidio Romano.


[-] Original Advisory:

<a rel="nofollow" href="http://karmainsecurity.com/KIS-2020-08">http://karmainsecurity.com/KIS-2020-08</a>

_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a>

</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="33"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#34">By Date</a>
<a href=""><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="33"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#34">By Thread</a>
<a href=""><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>[KIS-2020-08] openSIS &lt;= 7.4 Multiple SQL Injection	Vulnerabilities</strong> <em>Egidio Romano (Jun 30)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started