Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL Injection in ForgotPassUserName #192

Closed
H4niz opened this issue Sep 1, 2021 · 3 comments
Closed

SQL Injection in ForgotPassUserName #192

H4niz opened this issue Sep 1, 2021 · 3 comments

Comments

@H4niz
Copy link

H4niz commented Sep 1, 2021

Hi @openSISAdmin, @ArnabOs4ed , I found a sql injection vulnerability in ForgotPassUserName function. I can inject special character in URL to escape SQL query in backend because of lacking of sanitize user input.
PoC:
http://172.16.0.12:2222/ForgotPassUserName.php?used_for=username&u=admin%27%20or%20%271%27=%271

Bug:

        if($used_for=='username')
        {
            $username = $_GET['u']; // <--- Lacking of sanitize input here!!!
            $usr_type = $_GET['user_type'];
            $found= false;
            if($usr_type=='student')
            {
                $check_uname=  DBGet(DBQuery('SELECT * FROM login_authentication WHERE USERNAME = \''.$username.'\'  AND PROFILE_ID IN (SELECT ID FROM user_profiles WHERE PROFILE=\'student\')'));
            }
            elseif($usr_type=='staff') 
            {
                $check_uname=  DBGet(DBQuery('SELECT * FROM login_authentication WHERE USERNAME = \''.$username.'\'  AND PROFILE_ID IN (SELECT ID FROM user_profiles WHERE ID NOT IN (0,3,4))'));
            }
            else
            {
                $check_uname=  DBGet(DBQuery('SELECT * FROM login_authentication WHERE USERNAME = \''.$username.'\'  AND PROFILE_ID IN (SELECT ID FROM user_profiles WHERE PROFILE=\'parent\')'));
            }
            if($check_uname[1]['USERNAME']!='')
            {
                echo '1';
            }
            else
                echo '0';
        }

In line 278, the code does not sanitize param u, in order that, I can escape the SQL query easily.

Solution:

Use function sqlSecurityFilter() before assign $_GET['u']; to username param.
The code should look like:

$username = sqlSecurityFilter($_GET['u']);
@openSISAdmin
Copy link
Member

Fixed

@H4niz
Copy link
Author

H4niz commented Sep 4, 2021 via email

@openSISAdmin
Copy link
Member

@H4niz

Thanks for your note. We will sincerely appreciate it if you can chip in and fix the vulnerabilities that you have found. Please make sure you do not regress any system functionalities as it is largely undocumented.

Please do PR for the fixes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants