openSIS-Classic icon indicating copy to clipboard operation
openSIS-Classic copied to clipboard
verified publisher icon OS4ED

SQL Injection Security Issue

Open d0ub1edd opened this issue 1 year ago • 3 comments

This pull request addresses a critical SQL Injection vulnerability found of the application. The vulnerability allows any authenticated user to exploit the SQL query by injecting malicious SQL code, potentially leading to unauthorized data access or manipulation.

Impact: This vulnerability allows an attacker with any level of system access to execute arbitrary SQL queries. This can lead to data leakage, data corruption, or full database compromise. Requirements for Exploitation: Attacker must be authenticated to the system but does not need elevated privileges.

Fix: This PR is fixing the SQL Injection vulnerabilities.

d0ub1edd avatar Sep 09 '24 09:09 d0ub1edd

Your PR lacks a proof of concept.

You can't rely on REMOTE_ADDR being true... it could be the wrong address due to anonymising proxies or some such trick. You can rely on it always being an IP address, so SQL injection by this path is impossible.

Source: https://stackoverflow.com/questions/2018151/ip-address-sql-injection#answer-2018561

francoisjacquet avatar Oct 04 '24 20:10 francoisjacquet

unfixed code is

if ($_SERVER['HTTP_X_FORWARDED_FOR']) {
    $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
    $ip = $_SERVER['REMOTE_ADDR'];
}
DBQuery("INSERT INTO hacking_log (HOST_NAME,IP_ADDRESS,LOGIN_DATE,VERSION,PHP_SELF,DOCUMENT_ROOT,SCRIPT_NAME,MODNAME,USERNAME)
 values
('$_SERVER[SERVER_NAME]','$ip','" . date('Y-m-d') . "','$openSISVersion','$_SERVER[PHP_SELF]','$_SERVER[DOCUMENT_ROOT]','$_SERVER[SCRIPT_NAME]','$_REQUEST[modname]','" . User('USERNAME') . "')");

@francoisjacquet so if HTTP_X_FORWARDED_FOR is defined(it can be simply defined in the HTTP header) in the $ip variable , the value given by the attacker will be assigned, not the REMOTE_ADDR. This will cause a sql injection vulnerability. POC is already in the profile on @d0ub1edd. I verified that it works in the latest version.

https://github.com/d0ub1edd/CVE-Reference/blob/main/CVE-2024-46626.md

lodos2005 avatar Oct 05 '24 09:10 lodos2005

@lodos2005 thanks, I just didn't expand the code up to the HTTP_X_FORWARDED_FOR header.

HTTP_* header can indeed be spoofed.

francoisjacquet avatar Oct 05 '24 10:10 francoisjacquet

@d0ub1edd Thank you for addressing this critical vulnerability. We appreciate your prompt action in identifying and fixing the SQL Injection issue. This fix significantly improves the security posture of the application and helps prevent potential data breaches. Great work!

Anwesha-sys avatar Jun 23 '25 16:06 Anwesha-sys