Security
Headlines
HeadlinesLatestCVEs

Headline

NLB mKlik Makedonija 3.3.12 SQL Injection

The mobile application or the affected API suffers from an SQL Injection vulnerability. Input passed to the parameters that are associated to international transfer is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and disclose sensitive information.

Zero Science Lab
#sql#vulnerability#web#android#google#perl

Title: NLB mKlik Makedonija 3.3.12 SQL Injection
Advisory ID: ZSL-2023-5797
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (3/5)
Release Date: 14.10.2023

Summary

NLB mKlik е мобилна апликација наменета за физички лица, корисници на услугите на НЛБ Банка, која овозможува преглед на различните продукти кои корисниците ги имаат во Банката како и извршување на различни видови на трансакции на едноставен и пред се безбеден начин во било кој период од денот. NLB mKlik апликацијата може да се користи со Android верзија 5.0 или понова.

Description

The mobile application or the affected API suffers from an SQL Injection vulnerability. Input passed to the parameters that are associated to international transfer is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and disclose sensitive information.

Vendor

NLB Banka AD Skopje - https://www.nlb.mk

Affected Version

3.3.12

Tested On

Android 13

Vendor Status

[23.12.2022] Vulnerability discovered.
[23.12.2022] Vendor contacted.
[26.12.2022] Vendor responds asking more details.
[28.12.2022] Sent details to the vendor, not encrypted. Asked for confirmation and next steps.
[28.12.2022] Vendor thanks us for the cooperation.
[06.01.2023] Asked vendor for update and plan for fix mob/web?
[09.01.2023] Vendor informs that our request has been received and will be reviewed within the responsible department. After the department responds we will be notified.
[20.01.2023] Asked vendor to provide status update and confirmation and to communicate more often.
[23.01.2023] Vendor informs that our request is sent to the responsible department. After the department responds we will be notified.
[13.10.2023] No response from the vendor.
[14.10.2023] Public security advisory released.

PoC

nlbmklik_sqli.txt

Credits

Vulnerability discovered by Neurogenesia - <[email protected]>

References

[1] https://play.google.com/store/apps/details?id=hr.asseco.android.jimba.tutunskamk.production

Changelog

[14.10.2023] - Initial release

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: [email protected]

Zero Science Lab: Latest News

ABB Cylon Aspect 3.08.00 (log(Mix/Yum)Lookup.php) Off-by-One Error in Log Parsing