A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/users/Staff.php, staff[TITLE] parameter.
HTTP/1.1 200 OK
Date: Wed, 22 Sep 2021 05:39:16 GMT
Server: Apache/2.4.46 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 60208
Connection: close
Content-Type: text/html; charset=UTF-8
[…]
<TD>INSERT INTO staff (CURRENT_SCHOOL_ID,TITLE,PHYSICAL_DISABILITY) values(1,'\''','N')</TD>
</TR>
</TR><TR>
<TD align=right><b>Traceback:</b></TD>
<TD>/var/www/opensis/modules/users/Staff.php at 590</TD>
</TR>
</TR><TR>
<TD align=right><b>Additional Information:</b></TD>
<TD>You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'N')' at line 1</TD>
</TR>
</TABLE>
<TABLE CELLSPACING=10 BORDER=0>
[…]
SOLUTION
Use function sqlSecurityFilter() before assign $_REQUEST['staff'] to $value param.
$staffs=sqlSecurityFilter($_REQUEST['staff']);
foreach ($staffs as $column => $value) {
if ($column == 'BIRTHDATE' && $value!='')
{
$value = date("Y-m-d", strtotime($value));
}
The text was updated successfully, but these errors were encountered:
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/users/Staff.php, staff[TITLE] parameter.


POC

REQUEST
RESPONSE
SOLUTION
Use function sqlSecurityFilter() before assign $_REQUEST['staff'] to $value param.
The text was updated successfully, but these errors were encountered: