Skip to content

IzyBat Orange casiers - SQLi injection (CVE-2023-22630)

Moderate
lbrossault published GHSA-j94f-5cg6-6j9j Jan 4, 2023

Package

orange casiers (IzyBat)

Affected versions

20220916_1

Patched versions

20221102_1

Description

Overview

An authenticated remote attacker can perform a time based SQLi injection in Orange casiers database.
Note: everyone can sign up to have a user account.

Impact

Informaction disclosure

Details

A time based SQLi has been detected on http://orange-casiers.fr/getCasier.php?taille=b via the “taille” parameter.
The SQLi allowed us to dump the database containing: First name, family name, password’s hashes, badge serial numbers …

Not affected version

20221102_1

Proof of Concept

You need to select a locker block that manage choosing a top or bottom locker.
When ask if you prefer a top or bottom locker, visit the URL http://orange-casiers.fr/getCasier.php?taille=1’+OR’1’%3D’1 instead to get the first locker available regardless of its physical location.
Revisiting the URL allow a user to get another locker, regardless of the limitation usually in place of 1 locker/person. In fact, you could reserve every single lockers available.

Solution

Security patch

Upgrade to 20221102_1

References

Credits

Orange CERT-CC
Hugo VOVARD at Orange group

Timeline

Date reported: November 2, 2022
Date fixed: November 2, 2022

Severity

Moderate
5.7
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

CVE ID

CVE-2023-22630

Weaknesses