New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SQL Injection in ForgotPassUserName #192
Comments
|
Fixed |
|
Dear openSIS Administrator,
After auditing your source-code, I found many vulnerabilities, most of them
are SQL Injection. The reason causes many bugs because you missed to filter
user input parameters before assigning to php parameters. So, to secure your
solution, please recheck and fix all mistake in your code, please!
If you need a support to secure your code, feel free to contact me! I
always willing to help you! And obviously, It's free!
…On Sat, Sep 4, 2021 at 3:08 AM openSIS Administrator < ***@***.***> wrote:
Fixed
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#192 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHJAYHF5ULHVMKDZZSAWBKTUAETKPANCNFSM5DGK6FWA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
--
Nguyen Le Quoc Anh
InfoSec Student at Academy of Cryptography Techniques
P 0377027142 <0377027142>
W https://h4niz.wordpress.com/ <https://h4niz.wordpress.com/>
Create your own email signature
<https://www.wisestamp.com/create-own-signature/?utm_source=promotion&utm_medium=signature&utm_campaign=create_your_own&srcid=>
|
|
Thanks for your note. We will sincerely appreciate it if you can chip in and fix the vulnerabilities that you have found. Please make sure you do not regress any system functionalities as it is largely undocumented. Please do PR for the fixes. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi @openSISAdmin, @ArnabOs4ed , I found a sql injection vulnerability in
ForgotPassUserNamefunction. I can inject special character in URL to escape SQL query in backend because of lacking of sanitize user input.PoC:
http://172.16.0.12:2222/ForgotPassUserName.php?used_for=username&u=admin%27%20or%20%271%27=%271Bug:
In line 278, the code does not sanitize param
u, in order that, I can escape the SQL query easily.Solution:
Use function
sqlSecurityFilter()before assign$_GET['u'];tousernameparam.The code should look like:
The text was updated successfully, but these errors were encountered: