CVE-2023-50429: IzyBat Orange casiers - SQL injection

Overview

Possible SQL injection from the web portal https://orange-casiers.fr/

Details

SQL injection makes it possible to retrieve the RFID of employees in the database, which allows them to emulate their badge (e.g. with a zero pinball machine) and open their locker(s). In addition, SQLi allows you to recover the entire database (email, password hashes, etc.).
The vulnerability concerns the getEnsemble.php endpoint on a POST request and it is the ensemble parameter which is vulnerable. See PoC_1

Proof of Concept

See PoC_2, PoC_3, PoC_4

References****Credits

Arthur NAULLET at Orange group

Orange CERT-CC at Orange group

Timeline

Date reported: August 2, 2023
Date fixed: August 3, 2023