Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[security] CVE-2020-8645, SQL injection in job applications search function #9

gwen001 opened this issue Jan 19, 2020 · 3 comments


Copy link

gwen001 commented Jan 19, 2020

Description: An issue was discovered in SJS through 1.66. There is an unauthenticated SQL injection via the job applications search function. The vulnerable parameter is job_id. The function is getJobApplicationsByJobId(). The file is _lib/class.JobApplication.php.


Version: 1.64
OS: Ubuntu 16.10
Web server: Apache 2.4.18
PHP: 5.6.40
Database: MySQL 5.7.28
URL: /get_job_applications_ajax.php
Payload: job_id=493+AND+(SELECT+9069+FROM+(SELECT(SLEEP(5)))Ufmy)

Steps to Reproduce:
$ sqlmap --batch --threads=10 --dbms=mysql -u "" --data="job_id=493" --banner


Copy link

gwen001 commented Jan 28, 2020

For that one, I recommend to cast int() the vulnerable parameter.

Also would be great to check that the job_id provided belong to the connected user. For now every user, even not authenticated, can retrieve all applications by looping through that number, which is basically what we call an IDOR.

Best regards.

Copy link

niteosoft commented Feb 4, 2020

Thank you for submitting the issue. We have typecasted the job_id as an integer as you suggested.

Copy link

gwen001 commented Feb 4, 2020

Great job!

@gwen001 gwen001 changed the title [security] SQL injection in job applications search function [security] CVE-2020-8645, SQL injection in job applications search function Feb 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

No branches or pull requests

2 participants