openSIS through 7.4 allows Directory Traversal.

    --------------------------------------------------------------openSIS <= 7.4 (Bottom.php) Local File Inclusion Vulnerability--------------------------------------------------------------[-] Software Link:https://opensis.com/[-] Affected Versions:Version 7.4 and prior versions.[-] Vulnerability Description:The vulnerable code is located in the /Bottom.php script:36.  if(clean_param($_REQUEST['modfunc'],PARAM_ALPHA)=='print')37.  {38.    $_REQUEST = $_SESSION['_REQUEST_vars'];39.    $_REQUEST['_openSIS_PDF'] = true;40.    if(strpos($_REQUEST['modname'],'?')!==false)41.      $modname = substr($_REQUEST['modname'],0,strpos($_REQUEST['modname'],'?'));42.    else43.      $modname = $_REQUEST['modname'];44.    ob_start();45.    include('modules/'.$modname);User input passed through the "modname" request parameter is not properly sanitized before beingused in a call to the "include()" function at line 45. This can be exploited to include arbitrarylocal files and potentially access otherwise restricted functionalities or execute arbitrary PHPcode with the permissions of the webserver.[-] Solution:No official solution is currently available.[-] Disclosure Timeline:[04/11/2019] - Vendor notified[04/11/2019] - Vendor acknowledgement[10/01/2020] - Vendor contacted again asking for updates[16/01/2020] - Vendor tried to fix the vulnerability by using "mysqli_real_escape_string()"[06/02/2020] - Vendor was informed about the inappropriate fix[25/04/2020] - Version 7.4 released, vulnerability still incorrectly fixed[22/05/2020] - CVE number assigned[30/06/2020] - Public disclosure[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2020-13383 to this vulnerability.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Original Advisory:http://karmainsecurity.com/KIS-2020-07

CVE-2020-13383: openSIS 7.4 Local File Inclusion ≈ Packet Storm

openSIS through 7.4 allows SQL Injection.

-----------------------------------------------------  
openSIS <= 7.4 Multiple SQL Injection Vulnerabilities  
-----------------------------------------------------

[-] Software Link:

https://opensis.com/

[-] Affected Versions:

Version 7.4 and prior versions.

[-] Vulnerabilities Description:

The application is affected by multiple SQL Injection vulnerabilities,   
following are some examples:

1) User input passed through the "api_key" and "api_secret" parameters   
to '/api/SchoolInfo.php',  
'/api/StaffInfo.php', and '/api/StudentEnrollmentInfo.php' is not   
properly sanitized before being  
used to construct a SQL query. This can be exploited by unauthenticated   
attackers to e.g. read  
sensitive data from the database through error-based SQL Injection   
attacks.

2) User input passed through the "event_id" parameter to   
'/CalendarModal.php' is not properly  
sanitized before being used to construct a SQL query. This can be   
exploited by remote attackers  
to e.g. read sensitive data from the database through in-band SQL   
Injection attacks.

3) User input passed through the "course_id" parameter to   
'/modules/scheduling/MassSchedule.php'  
is not properly sanitized before being used to construct a SQL query.   
This can be exploited by  
remote attackers to e.g. read sensitive data from the database through   
SQL Injection attacks.

4) User input passed through the "student" parameter to   
'/modules/attendance/AddAbsences.php'  
is not properly sanitized before being used to construct a SQL query.   
This can be exploited by  
remote attackers to e.g. read sensitive data from the database through   
SQL Injection attacks.

NOTE: certain SQL Injection vulnerabilities in openSIS - like (3) or (4)   
- could also be  
abused to execute arbitrary PHP code due to an unsafe use of the   
"eval()" PHP function  
within the "DBGet()" function defined in the '/functions/DbGetFnc.php'   
script.

[-] Solution:

Upgrade to version 7.4 to remediate vulnerabilities (1) and (2).  
No official solution is currently available for the other   
vulnerabilities.

[-] Disclosure Timeline:

[04/11/2019] - Vendor notified  
[04/11/2019] - Vendor acknowledgement  
[10/01/2020] - Vendor contacted again asking for updates  
[15/01/2020] - Vendor replied they would need a few examples  
[20/01/2020] - Told the vendor they could use the PoC I sent them in   
November  
[05/02/2020] - Vendor asked for a video recording to demonstrate the   
vulnerabilities  
[06/02/2020] - Proof of Concept video sent to the vendor  
[06/02/2020] - Vendor informed about the correct fix for (1) and (2)   
with commit https://git.io/JJf4L  
[03/03/2020] - Vendor contacted again asking for updates about the other   
vulnerabilities  
[04/03/2020] - Vendor replied "we just have to wait a little longer"  
[25/04/2020] - Version 7.4 released, vulnerabilities still not fixed  
[22/05/2020] - CVE numbers assigned  
[30/06/2020] - Public disclosure

[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2020-13380 to vulnerabilities (1) and (2),  
and name CVE-2020-13381 for the other vulnerabilities.

[-] Credits:

Vulnerabilities discovered by Egidio Romano.

[-] Original Advisory:

http://karmainsecurity.com/KIS-2020-08

CVE-2020-13381: openSIS 7.4 SQL Injection ≈ Packet Storm

In Presto before version 337, authenticated users can bypass authorization checks by directly accessing internal APIs. This impacts Presto server installations with secure internal communication configured. This does not affect installations that have not configured secure internal communication, as these installations are inherently insecure. This only affects Presto server installations. This does NOT affect clients such as the CLI or JDBC driver. This vulnerability has been fixed in version 337. Additionally, this issue can be mitigated by blocking network access to internal APIs on the coordinator and workers.

**Affected**

This affects Presto server installations. This does NOT affect clients such as the CLI or JDBC driver.

**Impact**

Authenticated users can bypass authorization checks by directly accessing internal APIs. This impacts Presto server installations with secure internal communication configured.

This does not affect installations that have not configured secure internal communication, as these installations are inherently insecure.

**Patches**

This issue has been fixed starting with PrestoSQL version 337.

**Workarounds**

This issue can be mitigated by blocking network access to internal APIs on the coordinator and workers.

**References**

See the Presto documentation for Secure Internal Communication.

**For more information**

If you have any questions or comments about this advisory:

*   Join the **#security** channel on Slack.
*   Contact the security team at security@trino.io.

CVE-2020-15087: Privilege escalation for internal APIs

A Vulnerability in the firmware of COMMAX WallPad(CDP-1020MB) allow an unauthenticated adjacent attacker to execute arbitrary code, because of a using the old version of MySQL.

CVE-2019-19163: KrCERT/CC - KISA 인터넷 보호나라&KrCERT

In coturn before version 4.5.1.3, there is an issue whereby STUN/TURN response buffer is not initialized properly. There is a leak of information between different client connections. One client (an attacker) could use their connection to intelligently query coturn to get interesting bytes in the padding bytes from the connection of another client. This has been fixed in 4.5.1.3.

CVE-2020-4067: coturn/ChangeLog at aab60340b201d55c007bcdc853230f47aa2dfdf1 · coturn/coturn

In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.

Overview

Comment:

Fix a defect in the query-flattener optimization identified by ticket \[8f157e8010b22af0\].

Downloads:

Tarball | ZIP archive | SQL archive

Timelines:

family | ancestors | descendants | both | trunk

Files:

files | file ages | folders

SHA3-256:

10fa79d00f8091e5748c245f4cae5b5f499a5f8db20da741c130e05a21ede443

User & Date:

drh on 2020-06-15 13:51:34

Other Links:

manifest | tags

Context

2021-07-12

15:00

Fix a defect in the query-flattener optimization identified by ticket \[8f157e8010b22af0\]. This fix is associated with CVE-2020-15358. (Leaf check-in: bcd014c4 user: dan tags: branch-3.32a)

14:38

Fix a defect in the query-flattener optimization identified by ticket \[8f157e8010b22af0\]. This fix is associated with CVE-2020-15358. (check-in: 9e001b63 user: dan tags: branch-3.28a)

2020-06-17

12:37

Merge miscellaneous fixes from trunk into the 3.32 branch. (check-in: d55b8e79 user: drh tags: branch-3.32)

2020-06-15

14:38

Fix the --enable-update-limit option to ./configure. (check-in: d31fd57e user: drh tags: trunk)

13:51

Fix a defect in the query-flattener optimization identified by ticket \[8f157e8010b22af0\]. (check-in: 10fa79d0 user: drh tags: trunk)

2020-06-14

13:40

Check-in \[1d4f86201dab9a22\] changed a testcase() to an assert() because we didn't know how to reach that condition any more. But YongHeng's fuzzer found a way. So now we change it back. Ticket \[9fb26d37cefaba40\]. (check-in: 90b1169d user: drh tags: trunk)

Changes

Modified src/select.c from \[1a791ad4\] to \[6ddd86a7\].

︙

︙

2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714

        pLimit = p->pLimit;
        p->pLimit = 0;
        uniondest.eDest = op;
        ExplainQueryPlan((pParse, 1, "%s USING TEMP B-TREE",
                          selectOpName(p->op)));
        rc = sqlite3Select(pParse, p, &uniondest);
        testcase( rc!=SQLITE\_OK );
        /\* Query flattening in sqlite3Select() might refill p->pOrderBy.
        \*\* Be sure to delete p->pOrderBy, therefore, to avoid a memory leak. \*/
        sqlite3ExprListDelete(db, p->pOrderBy);        pDelete = p->pPrior;
        p->pPrior = pPrior;
        p->pOrderBy = 0;
        if( p->op==TK\_UNION ){
          p->nSelectRow = sqlite3LogEstAdd(p->nSelectRow, pPrior->nSelectRow);
        }
        sqlite3ExprDelete(db, p->pLimit);

<
<
|

2698
2699
2700
2701
2702
2703
2704

2705
2706
2707
2708
2709
2710
2711
2712

        pLimit = p->pLimit;
        p->pLimit = 0;
        uniondest.eDest = op;
        ExplainQueryPlan((pParse, 1, "%s USING TEMP B-TREE",
                          selectOpName(p->op)));
        rc = sqlite3Select(pParse, p, &uniondest);
        testcase( rc!=SQLITE\_OK );

        assert( p->pOrderBy\==0 );        pDelete = p->pPrior;
        p->pPrior = pPrior;
        p->pOrderBy = 0;
        if( p->op==TK\_UNION ){
          p->nSelectRow = sqlite3LogEstAdd(p->nSelectRow, pPrior->nSelectRow);
        }
        sqlite3ExprDelete(db, p->pLimit);

︙

︙

4087
4088
4089
4090
4091
4092
4093
4094
4095
4096
4097
4098
4099
4100
4101

    \*\*   SELECT a+5, b\*10 FROM (SELECT x\*3 AS a, y+10 AS b FROM t1) WHERE a>b;
    \*\*   \\                     \\\_\_\_\_\_\_\_\_\_\_\_\_\_ subquery \_\_\_\_\_\_\_\_\_\_/          /
    \*\*    \\\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ outer query \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_/
    \*\*
    \*\* We look at every expression in the outer query and every place we see
    \*\* "a" we substitute "x\*3" and every place we see "b" we substitute "y+10".
    \*/
    if( pSub->pOrderBy ){      /\* At this point, any non-zero iOrderByCol values indicate that the
      \*\* ORDER BY column expression is identical to the iOrderByCol'th
      \*\* expression returned by SELECT statement pSub. Since these values
      \*\* do not necessarily correspond to columns in SELECT statement pParent,
      \*\* zero them before transfering the ORDER BY clause.
      \*\*
      \*\* Not doing this may cause an error if a subsequent call to this

|

4085
4086
4087
4088
4089
4090
4091
4092
4093
4094
4095
4096
4097
4098
4099

    \*\*   SELECT a+5, b\*10 FROM (SELECT x\*3 AS a, y+10 AS b FROM t1) WHERE a>b;
    \*\*   \\                     \\\_\_\_\_\_\_\_\_\_\_\_\_\_ subquery \_\_\_\_\_\_\_\_\_\_/          /
    \*\*    \\\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ outer query \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_/
    \*\*
    \*\* We look at every expression in the outer query and every place we see
    \*\* "a" we substitute "x\*3" and every place we see "b" we substitute "y+10".
    \*/
    if( pSub->pOrderBy && (pParent->selFlags & SF\_NoopOrderBy)==0 ){      /\* At this point, any non-zero iOrderByCol values indicate that the
      \*\* ORDER BY column expression is identical to the iOrderByCol'th
      \*\* expression returned by SELECT statement pSub. Since these values
      \*\* do not necessarily correspond to columns in SELECT statement pParent,
      \*\* zero them before transfering the ORDER BY clause.
      \*\*
      \*\* Not doing this may cause an error if a subsequent call to this

︙

︙

5787
5788
5789
5790
5791
5792
5793

5794
5795
5796
5797
5798
5799
5800

           pDest->eDest==SRT\_Queue  || pDest->eDest==SRT\_DistFifo ||
           pDest->eDest==SRT\_DistQueue || pDest->eDest==SRT\_Fifo);
    /\* If ORDER BY makes no difference in the output then neither does
    \*\* DISTINCT so it can be removed too. \*/
    sqlite3ExprListDelete(db, p->pOrderBy);
    p->pOrderBy = 0;
    p->selFlags &= ~SF\_Distinct;

  }
  sqlite3SelectPrep(pParse, p, 0);
  if( pParse->nErr || db->mallocFailed ){
    goto select\_end;
  }
  assert( p->pEList!=0 );
#if SELECTTRACE\_ENABLED

>

5785
5786
5787
5788
5789
5790
5791
5792
5793
5794
5795
5796
5797
5798
5799

           pDest->eDest==SRT\_Queue  || pDest->eDest==SRT\_DistFifo ||
           pDest->eDest==SRT\_DistQueue || pDest->eDest==SRT\_Fifo);
    /\* If ORDER BY makes no difference in the output then neither does
    \*\* DISTINCT so it can be removed too. \*/
    sqlite3ExprListDelete(db, p->pOrderBy);
    p->pOrderBy = 0;
    p->selFlags &= ~SF\_Distinct;
    p->selFlags |= SF\_NoopOrderBy;  }
  sqlite3SelectPrep(pParse, p, 0);
  if( pParse->nErr || db->mallocFailed ){
    goto select\_end;
  }
  assert( p->pEList!=0 );
#if SELECTTRACE\_ENABLED

︙

︙

Modified src/sqliteInt.h from \[fe320867\] to \[abf448e9\].

︙

︙

3118
3119
3120
3121
3122
3123
3124

3125
3126
3127
3128
3129
3130
3131

#define SF\_MaybeConvert  0x0008000 /\* Need convertCompoundSelectToSubquery() \*/
#define SF\_Converted     0x0010000 /\* By convertCompoundSelectToSubquery() \*/
#define SF\_IncludeHidden 0x0020000 /\* Include hidden columns in output \*/
#define SF\_ComplexResult 0x0040000 /\* Result contains subquery or function \*/
#define SF\_WhereBegin    0x0080000 /\* Really a WhereBegin() call.  Debug Only \*/
#define SF\_WinRewrite    0x0100000 /\* Window function rewrite accomplished \*/
#define SF\_View          0x0200000 /\* SELECT statement is a view \*/


/\*
\*\* The results of a SELECT can be distributed in several ways, as defined
\*\* by one of the following macros.  The "SRT" prefix means "SELECT Result
\*\* Type".
\*\*
\*\*     SRT\_Union       Store results as a key in a temporary index

>

3118
3119
3120
3121
3122
3123
3124
3125
3126
3127
3128
3129
3130
3131
3132

#define SF\_MaybeConvert  0x0008000 /\* Need convertCompoundSelectToSubquery() \*/
#define SF\_Converted     0x0010000 /\* By convertCompoundSelectToSubquery() \*/
#define SF\_IncludeHidden 0x0020000 /\* Include hidden columns in output \*/
#define SF\_ComplexResult 0x0040000 /\* Result contains subquery or function \*/
#define SF\_WhereBegin    0x0080000 /\* Really a WhereBegin() call.  Debug Only \*/
#define SF\_WinRewrite    0x0100000 /\* Window function rewrite accomplished \*/
#define SF\_View          0x0200000 /\* SELECT statement is a view \*/
#define SF\_NoopOrderBy   0x0400000 /\* ORDER BY is ignored for this query \*/
/\*
\*\* The results of a SELECT can be distributed in several ways, as defined
\*\* by one of the following macros.  The "SRT" prefix means "SELECT Result
\*\* Type".
\*\*
\*\*     SRT\_Union       Store results as a key in a temporary index

︙

︙

Modified test/selectA.test from \[b8a590f6\] to \[68de5240\].

︙

︙

1442
1443
1444
1445
1446
1447
1448

1449

1450

  DROP TABLE IF EXISTS t2;
  CREATE TABLE t1(a INTEGER);
  CREATE TABLE t2(b TEXT);
  INSERT INTO t2(b) VALUES('12345');
  SELECT \* FROM (SELECT a FROM t1 UNION SELECT b FROM t2) WHERE a=a;
} {12345}

finish\_test

>
|
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471

  DROP TABLE IF EXISTS t2;
  CREATE TABLE t1(a INTEGER);
  CREATE TABLE t2(b TEXT);
  INSERT INTO t2(b) VALUES('12345');
  SELECT \* FROM (SELECT a FROM t1 UNION SELECT b FROM t2) WHERE a=a;
} {12345}

\# 2020-06-15 ticket 8f157e8010b22af0
#
reset\_db
do\_execsql\_test 7.1 {
  CREATE TABLE t1(c1);     INSERT INTO t1 VALUES(12),(123),(1234),(NULL),('abc');
  CREATE TABLE t2(c2);     INSERT INTO t2 VALUES(44),(55),(123);
  CREATE TABLE t3(c3,c4);  INSERT INTO t3 VALUES(66,1),(123,2),(77,3);
  CREATE VIEW t4 AS SELECT c3 FROM t3;
  CREATE VIEW t5 AS SELECT c3 FROM t3 ORDER BY c4;
}
do\_execsql\_test 7.2 {
  SELECT \* FROM t1, t2 WHERE c1=(SELECT 123 INTERSECT SELECT c2 FROM t4) AND c1=123;
} {123 123}
do\_execsql\_test 7.3 {
  SELECT \* FROM t1, t2 WHERE c1=(SELECT 123 INTERSECT SELECT c2 FROM t5) AND c1=123;
} {123 123}
do\_execsql\_test 7.4 {
  CREATE TABLE a(b);
  CREATE VIEW c(d) AS SELECT b FROM a ORDER BY b;
  SELECT sum(d) OVER( PARTITION BY(SELECT 0 FROM c JOIN a WHERE b =(SELECT b INTERSECT SELECT d FROM c) AND b = 123)) FROM c;
} {}

finish\_test

CVE-2020-15358: SQLite: Check-in [10fa79d0]

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has no authentication for /cnr requests.

1.  Homepage
2.  Support
3.  Security Advisories
4.  Zyxel security advisory for vulnerabilities of CloudCNM SecuManager

Summary

Zyxel CloudCNM SecuManager software is affected by hardcoded credentials and missing authentication vulnerabilities. We’re currently working with our vendor to fix the issues and will reach out to individual customers directly to roll out the solution.

What is the vulnerability?

Multiple vulnerabilities were identified in Zyxel CloudCNM SecuManager, namely:

*   Hardcoded SSH server keys
*   Backdoors accounts in MySQL
*   Hardcoded certificate and backdoor access in Ejabberd
*   Open ZODB storage without authentication
*   MyZyxel 'Cloud' Hardcoded Secret
*   Hardcoded Secrets, APIs
*   Predefined passwords for admin accounts
*   Insecure management over the 'Cloud'
*   xmppCnrSender.py log escape sequence injection
*   xmppCnrSender.py no authentication and clear-text communication
*   Incorrect HTTP requests cause out of range access in Zope
*   XSS on the web interface
*   Private SSH key
*   Backdoor APIs
*   Backdoor management access and RCE
*   Pre-auth RCE with chrooted access

What products are vulnerable—and what should you do?

After a thorough investigation, we’ve confirmed that the vulnerabilities affect only CloudCNM SecuManager, a network management tool customized for specific customer demands. Other Zyxel products and services are NOT affected by the reported vulnerabilities.

CloudCNM SecuManager is co-developed with a third-party vendor. Zyxel has taken immediate action to work with the vendor to resolve the issues, making this our top priority. We’ll reach out to individual customers to roll out the solution once it becomes available.

Got a question or a tipoff?

Please contact your local service rep for further information or assistance. If you’ve found a vulnerability, we want to work with you to fix it—contact security@zyxel.com.tw and we’ll get right back to you.

Source

https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#insecure-cloud

Revision history

2020-03-13: Initial release

CVE-2020-15336: Zyxel security advisory for vulnerabilities of CloudCNM SecuManager

A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the order parameter of a wpdLoadMoreComments request. (No 7.x versions are affected.)

(@tomson)

Posts: 487

Honorable Member Support

We just released wpDiscuz 5.3.6 version for all who still use the old v5.3.5 version and don't want to update to current latest 7.x.x version.

We have got a report that, there is a security vulnerability issue in 5.3.5 version. This issue was fixed in the major update 7.x.x versions. However, we also fixed the issue for 5.x version users and released 5.3.6 version.

If you want to keep using the old 5.x version, just update it to the 5.3.6 version using this instruction:

1.  Deactivate delete the 5.3.5 version.
2.  Download the 5.3.6 verison: https://downloads.wordpress.org/plugin/wpdiscuz.5.3.6.zip
3.  Click the \[Add New\] button in Dashboard > Plugins admin page and upload/install the 5.3.6 installation zip file.

If you don't want to use old 5.x versions, just click the \[Update\] link on wpDiscuz plugin in Dashboard > Plugins admin page and update it to the latest version.

Posted : 12/06/2020 4:55 pm

CVE-2020-13640: Security vulnerability issue in 5.3.5 version, please update...

A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Mayfly277 opened this issue

Jun 17, 2020

· 13 comments

**Comments**

**sqli as admin v1.2.12**

There is an sql injection on the latest version (in the /cacti/color.php page on the parameter filter.

**To Reproduce**

Steps to reproduce the behavior:

call /cacti/color.php?action=export&header=false&filter=')<SQLI HERE>--+-

**Expected behavior**

change the following lines :  

$sql\_where = "WHERE (name LIKE '%" . get\_request\_var('filter') . "%'

    	/* form the 'where' clause for our main sql query */
    	if (get_request_var('filter') != '') {
    		$sql_where = "WHERE (name LIKE '%" . get_request_var('filter') . "%'
    			OR hex LIKE '%" .  get_request_var('filter') . "%')";
    	} else {
    		$sql_where = '';
    }
    

You should do db_qstr('%' . get_request_var('filter') . '%') instead of '%" . get\_request\_var('filter') . "%.

**Additional context**

*   As the application accept stacked queries, this can easy lead to remote code execution by replacing the path\_php\_binary setting inside the database.

    GET /cacti/color.php?action=export&header=false&filter=1')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;update+settings+set+value='touch+/tmp/sqli_from_rce;'+where+name='path_php_binary';--+- 
    

*   Then call host.php?action=reindex and get the shell\_exec called with the path\_php\_binary.  
    

Not sure if that was already covered in our current CVE tracker. Have you tested against the very latest 1.2.x branch ?

I tried with that image which use the latest release : quantumobject/docker-cacti  
And the request :

    /cacti/color.php?action=export&header=false&filter=')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;-- -`
    

Is getting back the users and hash.

The code on this function haven't change in 3 years:

But the filter change 11 months ago and that change bring the issue.

*   The actual code (1.12.x branch):

*   before the issue Non regular expression search filters don't support international characters #2839 fix the code (v1.2.6) seems to be not vulnerable :

This was resolved some time ago in the 1.2.x branch.

> This was resolved some time ago in the 1.2.x branch.

Would you have a commit reference int the 1.2.x branch which is fixing the issue?

No this is **NOT** fixed.  
I just tried with a fresh checkout of 1.2.x. and the exploit still work.  
Please reopen @TheWitness

Mayfly277 pushed a commit to Mayfly277/cacti that referenced this issue

Jun 18, 2020

Mayfly277 pushed a commit to Mayfly277/cacti that referenced this issue

Jun 18, 2020

Thanks for verifying. And supplying a patch. Could you add the CVE number to the changelog ?

You have to be reviewing something other than the 1.2.x branch. Here is a screen capture of the 1.2.x branch. Tell me which part of this does not conform to your reasoning?

@Mayfly277, after re-reading, I think you are confused. It's "git clone -b 1.2.x ...". It's not "branch 1.12.x, it's 1.2.x.

I'll be damned. Where did that come from. Re-opening. Thanks for being persistent.

From Code: color.php always process filter by function sanitize_search_string.  
And sanitize_search_string will drop char ', , ; and )\`.  
Why your env can get SQL result.

In my test, final SQL like SQL below, all invalid char is dropped, and injection SQL around with single quot:

SELECT \*, 
        SUM(CASE WHEN local\_graph\_id\>0 THEN 1 ELSE 0 END) AS graphs, 
        SUM(CASE WHEN local\_graph\_id\=0 THEN 1 ELSE 0 END) AS templates 
    FROM (
        SELECT c.\*, local\_graph\_id 
        FROM colors AS c LEFT JOIN (
            SELECT color\_id, graph\_template\_id, local\_graph\_id FROM graph\_templates\_item WHERE color\_id\>0 
        ) AS gti ON c.id\=gti.color\_id 
    ) AS rs 
    WHERE (name LIKE '%1 UNION SELECT 1 username password 4 5 6 7 from user\_auth %' 
            OR hex LIKE '%1 UNION SELECT 1 username password 4 5 6 7 from user\_auth %') 
        AND read\_only\='on' 
    GROUP BY rs.id

 netniV changed the title \[security\] sqli as admin SQL Injection vulnerability due to input validation failure when editing colors (CVE-2020-14295)

Jul 12, 2020

CVE-2020-14295: SQL Injection vulnerability due to input validation failure when editing colors (CVE-2020-14295) · Issue #3622 · Cacti/cacti

A CWE-89:Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability exists in U.motion Servers and Touch Panels (affected versions listed in the security notification) which could cause arbitrary code to be executed when a malicious command is entered.

 ![Security Notification - U.motion Servers and Touch Panels (V1.2)](https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2020-133-03&p_File_Type=big%20Thumbnail&default_image=DefaultProductImage.jpg "Security Notification - U.motion Servers and Touch Panels (V1.2)")![Security Notification - U.motion Servers and Touch Panels (V1.2)](https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2020-133-03&p_File_Type=big%20Thumbnail&default_image=DefaultProductImage.jpg "Security Notification - U.motion Servers and Touch Panels (V1.2)")

Reference

 : 

SEVD-2020-133-03

Date

 : 

15/04/2021

Type

 : 

Technical leaflet

Languages :

English

Version :

1.2

Files

Size

SEVD-2020-133-03\_U.motion\_Servers\_and\_Touch\_Panels\_Notification\_V1.2 (.pdf)

242.8 kb

Download

Add to my Documents

Tag

#sql