Headline
CVE-2022-45962: Version 9.0 release · OS4ED/openSIS-Classic@81799fd
Open Solutions for Education, Inc openSIS Community Edition v8.0 and earlier is vulnerable to SQL Injection via CalendarModal.php.
@@ -28,7 +28,7 @@ #***************************************************************************************
session_start(); !empty($_SESSION[‘USERNAME’]) or die(‘Access denied!’); //!empty($_SESSION[‘PROFILE_ID’]) or die(‘Access denied!’);
include “functions/ParamLibFnc.php"; echo '<script type="text/javascript” src="assets/js/pages/components_popups.js"></script>’; @@ -99,14 +99,13 @@ if ($url === FALSE) { header(‘Location: index.php’); } error_reporting(E_ERROR); $isajax = “ajax"; $start_time = time(); include 'Warehouse.php’; array_rwalk($_REQUEST, ‘strip_tags’); $title_set = '’;
if (UserStudentID() && User(‘PROFILE’) != ‘parent’ && User(‘PROFILE’) != ‘student’ && substr(clean_param($_REQUEST[‘modname’], PARAM_NOTAGS), 0, 5) != ‘Atten’ && substr(clean_param($_REQUEST[‘modname’], PARAM_NOTAGS), 0, 5) != ‘users’ && clean_param($_REQUEST[‘modname’], PARAM_NOTAGS) != ‘students/AddUsers.php’ && $_REQUEST[‘modname’]!= ‘tools/Backup.php’ && (substr(clean_param($_REQUEST[‘modname’], PARAM_NOTAGS), 0, 10) != ‘attendance’ || clean_param($_REQUEST[‘modname’], PARAM_NOTAGS) == ‘attendance/StudentSummary.php’ || clean_param($_REQUEST[‘modname’], PARAM_NOTAGS) == ‘attendance/DailySummary.php’ || clean_param($_REQUEST[‘modname’], PARAM_NOTAGS) == ‘attendance/AddAbsences.php’)) { if (UserStudentID() && User(‘PROFILE’) != ‘parent’ && User(‘PROFILE’) != ‘student’ && substr(clean_param($_REQUEST[‘modname’], PARAM_NOTAGS), 0, 5) != ‘Atten’ && substr(clean_param($_REQUEST[‘modname’], PARAM_NOTAGS), 0, 5) != ‘users’ && clean_param($_REQUEST[‘modname’], PARAM_NOTAGS) != ‘students/AddUsers.php’ && $_REQUEST[‘modname’] != ‘tools/Backup.php’ && (substr(clean_param($_REQUEST[‘modname’], PARAM_NOTAGS), 0, 10) != ‘attendance’ || clean_param($_REQUEST[‘modname’], PARAM_NOTAGS) == ‘attendance/StudentSummary.php’ || clean_param($_REQUEST[‘modname’], PARAM_NOTAGS) == ‘attendance/DailySummary.php’ || clean_param($_REQUEST[‘modname’], PARAM_NOTAGS) == ‘attendance/AddAbsences.php’)) { $RET = DBGet(DBQuery(“SELECT FIRST_NAME,LAST_NAME,MIDDLE_NAME,NAME_SUFFIX FROM students WHERE STUDENT_ID=’” . UserStudentID() . “’”)); $count_student_RET = DBGet(DBQuery(“SELECT COUNT(*) AS NUM FROM students”));
@@ -125,8 +124,8 @@ 'students/EnrollmentReport.php’, // For Scheduling // 'scheduling/Schedule.php’, 'scheduling/ViewSchedule.php’, 'scheduling/Requests.php’, 'scheduling/ViewSchedule.php’, 'scheduling/Requests.php’, // 'scheduling/MassSchedule.php’, // 'scheduling/MassRequests.php’, 'scheduling/PrintSchedules.php’, @@ -141,7 +140,7 @@ 'grades/AdminProgressReports.php’, 'grades/ProgressReports.php’, // 'grades/HonorRoll.php’, 'grades/EditReportCardGrades.php’, 'grades/EditReportCardGrades.php’, // 'grades/GraduationProgress.php’, // For Attendance 'attendance/AddAbsences.php’, @@ -156,37 +155,32 @@
$allow_back_to_student_list = array( // For Students 'students/Student.php’, 'students/Student.php’, // For Scheduling // 'scheduling/Schedule.php’, 'scheduling/ViewSchedule.php’, 'scheduling/Requests.php’, 'scheduling/ViewSchedule.php’, 'scheduling/Requests.php’, // For Grades ‘grades/EditReportCardGrades.php’, ‘grades/EditReportCardGrades.php’, // For Eligibility ‘eligibility/Student.php’ );
if ($count_student_RET[1][‘NUM’] > 1) { $title_set = ‘y’;
if(in_array($_REQUEST[‘modname’], $allow_buffer_list)) { if(in_array($_REQUEST[‘modname’], $allow_back_to_student_list)) { DrawHeaderHome(‘<div class="panel"><div class="panel-heading"><h6 class="panel-title">’._selectedStudent.’ : ' . $RET[1][‘FIRST_NAME’] . ' ' . ($RET[1][‘MIDDLE_NAME’] ? $RET[1][‘MIDDLE_NAME’] . ' ' : ‘’) . $RET[1][‘LAST_NAME’] . ' ' . $RET[1][‘NAME_SUFFIX’] . ‘</h6> <div class="heading-elements clearfix"><span class="heading-text"><A HREF=Modules.php?modname=’ . clean_param($_REQUEST[‘modname’], PARAM_NOTAGS) . ‘&search_modfunc=list&next_modname=Students/Student.php&ajax=true&bottom_back=true&return_session=true target=body><i class="icon-square-left"></i> ‘._backToStudentList.’</A></span><div class="btn-group heading-btn"><A HREF=SideForStudent.php?student_id=new&modcat=’ . clean_param($_REQUEST[‘modcat’], PARAM_NOTAGS) . ‘&modname=’ . $_REQUEST[‘modname’] . ' class="btn btn-danger btn-xs">’._deselect.’</A></div></div></div></div>’); } else { DrawHeaderHome(‘<div class="panel"><div class="panel-heading"><h6 class="panel-title">’._selectedStudent.’ : ' . $RET[1][‘FIRST_NAME’] . ' ' . ($RET[1][‘MIDDLE_NAME’] ? $RET[1][‘MIDDLE_NAME’] . ' ' : ‘’) . $RET[1][‘LAST_NAME’] . ' ' . $RET[1][‘NAME_SUFFIX’] . ‘</h6> <div class="heading-elements clearfix"><div class="btn-group heading-btn"><A HREF=SideForStudent.php?student_id=new&modcat=’ . clean_param($_REQUEST[‘modcat’], PARAM_NOTAGS) . ‘&modname=’ . $_REQUEST[‘modname’] . ' class="btn btn-danger btn-xs">’._deselect.’</A></div></div></div></div>’); if (in_array($_REQUEST[‘modname’], $allow_buffer_list)) { if (in_array($_REQUEST[‘modname’], $allow_back_to_student_list)) { DrawHeaderHome(‘<div class="panel"><div class="panel-heading"><h6 class="panel-title">’ . _selectedStudent . ' : ' . $RET[1][‘FIRST_NAME’] . ' ' . ($RET[1][‘MIDDLE_NAME’] ? $RET[1][‘MIDDLE_NAME’] . ' ' : ‘’) . $RET[1][‘LAST_NAME’] . ' ' . $RET[1][‘NAME_SUFFIX’] . ‘</h6> <div class="heading-elements clearfix"><span class="heading-text"><A HREF=Modules.php?modname=’ . clean_param($_REQUEST[‘modname’], PARAM_NOTAGS) . ‘&search_modfunc=list&next_modname=Students/Student.php&ajax=true&bottom_back=true&return_session=true target=body><i class="icon-square-left"></i> ' . _backToStudentList . ‘</A></span><div class="btn-group heading-btn"><A HREF=SideForStudent.php?student_id=new&modcat=’ . clean_param($_REQUEST[‘modcat’], PARAM_NOTAGS) . ‘&modname=’ . $_REQUEST[‘modname’] . ' class="btn btn-danger btn-xs">’ . _deselect . ‘</A></div></div></div></div>’); } else { DrawHeaderHome(‘<div class="panel"><div class="panel-heading"><h6 class="panel-title">’ . _selectedStudent . ' : ' . $RET[1][‘FIRST_NAME’] . ' ' . ($RET[1][‘MIDDLE_NAME’] ? $RET[1][‘MIDDLE_NAME’] . ' ' : ‘’) . $RET[1][‘LAST_NAME’] . ' ' . $RET[1][‘NAME_SUFFIX’] . ‘</h6> <div class="heading-elements clearfix"><div class="btn-group heading-btn"><A HREF=SideForStudent.php?student_id=new&modcat=’ . clean_param($_REQUEST[‘modcat’], PARAM_NOTAGS) . ‘&modname=’ . $_REQUEST[‘modname’] . ' class="btn btn-danger btn-xs">’ . _deselect . ‘</A></div></div></div></div>’); } } } else if ($count_student_RET[1][‘NUM’] == 1) { $title_set = ‘y’;
if(in_array($_REQUEST[‘modname’], $allow_buffer_list)) { DrawHeaderHome(‘<div class="panel"><div class="panel-heading"><h6 class="panel-title">’._selectedStudent.’ : ' . $RET[1][‘FIRST_NAME’] . ' ' . ($RET[1][‘MIDDLE_NAME’] ? $RET[1][‘MIDDLE_NAME’] . ' ' : ‘’) . $RET[1][‘LAST_NAME’] . ' ' . $RET[1][‘NAME_SUFFIX’] . ‘</h6> <div class="heading-elements clearfix"><A HREF=SideForStudent.php?student_id=new&modcat=’ . clean_param($_REQUEST[‘modcat’], PARAM_NOTAGS) . ‘&modname=’ . $_REQUEST[‘modname’] . ' class="btn btn-danger btn-xs">’._deselect.’</A></div></div></div>’); if (in_array($_REQUEST[‘modname’], $allow_buffer_list)) { DrawHeaderHome(‘<div class="panel"><div class="panel-heading"><h6 class="panel-title">’ . _selectedStudent . ' : ' . $RET[1][‘FIRST_NAME’] . ' ' . ($RET[1][‘MIDDLE_NAME’] ? $RET[1][‘MIDDLE_NAME’] . ' ' : ‘’) . $RET[1][‘LAST_NAME’] . ' ' . $RET[1][‘NAME_SUFFIX’] . ‘</h6> <div class="heading-elements clearfix"><A HREF=SideForStudent.php?student_id=new&modcat=’ . clean_param($_REQUEST[‘modcat’], PARAM_NOTAGS) . ‘&modname=’ . $_REQUEST[‘modname’] . ' class="btn btn-danger btn-xs">’ . _deselect . ‘</A></div></div></div>’); } } } @@ -199,7 +193,7 @@ if ($_REQUEST[‘modname’] != ‘users/User.php’) { $RET = DBGet(DBQuery(“SELECT FIRST_NAME,LAST_NAME FROM staff WHERE STAFF_ID=’” . UserStaffID() . “’”)); echo '<div class="panel panel-default">’; DrawHeader(‘’._selectedStaff.’ : ' . $RET[1][‘FIRST_NAME’] . ' ' . $RET[1][‘LAST_NAME’], ‘<span class="heading-text"><A HREF=Modules.php?modname=’ . clean_param($_REQUEST[‘modname’], PARAM_NOTAGS) . ‘&search_modfunc=list&next_modname=users/User.php&ajax=true&bottom_back=true&return_session=true target=body><i class="icon-square-left"></i> ‘._backToUserList.’</A></span><div class="btn-group heading-btn"><A HREF=Side.php?staff_id=new&modcat=’ . clean_param($_REQUEST[‘modcat’], PARAM_NOTAGS) . ' class="btn btn-danger btn-xs">’._deselect.’</A></div>’); DrawHeader(‘’ . _selectedStaff . ' : ' . $RET[1][‘FIRST_NAME’] . ' ' . $RET[1][‘LAST_NAME’], ‘<span class="heading-text"><A HREF=Modules.php?modname=’ . clean_param($_REQUEST[‘modname’], PARAM_NOTAGS) . ‘&search_modfunc=list&next_modname=users/User.php&ajax=true&bottom_back=true&return_session=true target=body><i class="icon-square-left"></i> ' . _backToUserList . ‘</A></span><div class="btn-group heading-btn"><A HREF=Side.php?staff_id=new&modcat=’ . clean_param($_REQUEST[‘modcat’], PARAM_NOTAGS) . ' class="btn btn-danger btn-xs">’ . _deselect . ‘</A></div>’); echo '</div>’; } } @@ -208,10 +202,10 @@ if (!isset($_REQUEST[‘_openSIS_PDF’])) { Warehouse(‘header’);
// if (strpos(clean_param($_REQUEST[‘modname’], PARAM_NOTAGS), ‘miscellaneous/’) === false) // echo ‘<script language="JavaScript">if(window == top && (!window.opener || window.opener.location.href.substring(0,(window.opener.location.href.indexOf(“&”)!=-1?window.opener.location.href.indexOf(“&”):window.opener.location.href.replace(“#","”).length))!=window.location.href.substring(0,(window.location.href.indexOf(“&”)!=-1?window.location.href.indexOf(“&”):window.location.href.replace(“#","”).length)))) window.location.href = "index.php";</script>’; echo "<BODY marginwidth=0 leftmargin=0 border=0 onload=’doOnload();’ background=assets/bg.gif>"; echo '<DIV id="Migoicons” style="visibility:hidden;position:absolute;z-index:1000;top:-100"></DIV>’; if (strpos(clean_param($_REQUEST[‘modname’], PARAM_NOTAGS), ‘miscellaneous/’) === false) echo ‘<script language="JavaScript">if(window == top && (!window.opener || window.opener.location.href.substring(0,(window.opener.location.href.indexOf(“&”)!=-1?window.opener.location.href.indexOf(“&”):window.opener.location.href.replace(“#","”).length))!=window.location.href.substring(0,(window.location.href.indexOf(“&”)!=-1?window.location.href.indexOf(“&”):window.location.href.replace(“#","”).length)))) window.location.href = "index.php";</script>’; // echo "<BODY marginwidth=0 leftmargin=0 border=0 onload=’doOnload();’ background=assets/bg.gif>"; // echo '<DIV id="Migoicons" style="visibility:hidden;position:absolute;z-index:1000;top:-100"></DIV>’; }
$ajax_to_sign_in = ""; @@ -261,8 +255,7 @@
if (preg_match('/\.\./’, $modname) !== 1) include ‘modules/’ . $modname; } else { } else { if (User(‘USERNAME’)) {
@@ -273,7 +266,7 @@ }
echo ""._youReNotAllowedToUseThisProgram."! "._thisAttemptedViolationHasBeenLoggedAndYourIpAddressWasCaptured."."; echo “” . _youReNotAllowedToUseThisProgram . "! " . _thisAttemptedViolationHasBeenLoggedAndYourIpAddressWasCaptured . "."; DBQuery(“INSERT INTO hacking_log (HOST_NAME,IP_ADDRESS,LOGIN_DATE,VERSION,PHP_SELF,DOCUMENT_ROOT,SCRIPT_NAME,MODNAME,USERNAME) values('$_SERVER[SERVER_NAME]',’$ip’,’” . date(‘Y-m-d’) . “’,’$openSISVersion’,’$_SERVER[PHP_SELF]',’$_SERVER[DOCUMENT_ROOT]',’$_SERVER[SCRIPT_NAME]',’$_REQUEST[modname]',’” . User(‘USERNAME’) . "’)"); Warehouse(‘footer’); if ($openSISNotifyAddress) @@ -302,7 +295,8 @@ echo '</HTML>’; }
function decode_unicode_url($str) { function decode_unicode_url($str) { $res = '’;
$i = 0; @@ -317,11 +311,11 @@ function decode_unicode_url($str) { $character = chr($value); else if ($value < 0x0800) // 2 bytes: 110xxxxx 10xxxxxx $character = chr((($value & 0x07c0) >> 6) | 0xc0) . chr(($value & 0x3f) | 0x80); . chr(($value & 0x3f) | 0x80); else // 3 bytes: 1110xxxx 10xxxxxx 10xxxxxx $character = chr((($value & 0xf000) >> 12) | 0xe0) . chr((($value & 0x0fc0) >> 6) | 0x80) . chr(($value & 0x3f) | 0x80); . chr((($value & 0x0fc0) >> 6) | 0x80) . chr(($value & 0x3f) | 0x80); } else $i++;
@@ -331,21 +325,23 @@ function decode_unicode_url($str) { return $res . substr($str, $i); }
function code2utf($num) { function code2utf($num) { if ($num < 128) return chr($num); if ($num < 1024) return chr(($num >> 6) + 192) . chr(($num & 63) + 128); if ($num < 32768) return chr(($num >> 12) + 224) . chr((($num >> 6) & 63) + 128) . chr(($num & 63) + 128); . chr(($num & 63) + 128); if ($num < 2097152) return chr(($num >> 18) + 240) . chr((($num >> 12) & 63) + 128) . chr((($num >> 6) & 63) + 128) . chr(($num & 63) + 128); . chr((($num >> 6) & 63) + 128) . chr(($num & 63) + 128); return '’; }
function unescape($strIn, $iconv_to = ‘UTF-8’) { function unescape($strIn, $iconv_to = ‘UTF-8’) { $strOut = '’; $iPos = 0; $len = strlen($strIn); @@ -382,5 +378,3 @@ function unescape($strIn, $iconv_to = ‘UTF-8’) { } return $strOut; }
?>