Headline
CVE-2023-22630: IzyBat Orange casiers - SQLi injection
IzyBat Orange casiers before 20221102_1 allows SQL Injection via a getCasier.php?taille= URI.
Overview
An authenticated remote attacker can perform a time based SQLi injection in Orange casiers database.
Note: everyone can sign up to have a user account.
Impact
Informaction disclosure
Details
A time based SQLi has been detected on http://orange-casiers.fr/getCasier.php?taille=b via the “taille” parameter.
The SQLi allowed us to dump the database containing: First name, family name, password’s hashes, badge serial numbers …
Not affected version
20221102_1
Proof of Concept
You need to select a locker block that manage choosing a top or bottom locker.
When ask if you prefer a top or bottom locker, visit the URL http://orange-casiers.fr/getCasier.php?taille=1’+OR’1’%3D’1 instead to get the first locker available regardless of its physical location.
Revisiting the URL allow a user to get another locker, regardless of the limitation usually in place of 1 locker/person. In fact, you could reserve every single lockers available.
Solution****Security patch
Upgrade to 20221102_1
References****Credits
Orange CERT-CC
Hugo VOVARD at Orange group
Timeline
Date reported: November 2, 2022
Date fixed: November 2, 2022