SQL Injection in expenses/ajax.php & loan-management/ajax.php in unilogies/bumsys

Valid

Reported on

Apr 27th 2023

Description

An administrator user can use different operations and parameters to execute SQL queries.

-employeeId on operation addMonthlySalary in expenses/ajax.php.

-returnAdvancePaymentEmployee on operation returnAdvancePaymentSubmit, in expenses/ajax.php.

-id on operation editLoan in loan-management/ajax.php.

-loanBorrower on operation addNewInstallment in loan-management/ajax.php.

A similar case was reported and fixed on productDetailsForReturn operation in this bounty, but this endpoints are still vulnerable.

Proof of Concept

Expenses

The vulnerable php code is in module/expenses/ajax.php.

There are 2 different points where an SQL Injection can be triggered with employeeId and returnAdvancePaymentEmployee parameter.

First of them is on line 1563, on addMonthlySalary operation. The parameter employeeId is obtained from query on line 1544 and it is sanitized with safe_input method.

However, the parameter is setted on the SQL Query assuming that is an Integer and it is not enforced using quotes:

That's why we can inject malicious SQL Queries as:

Content-Disposition: form-data; name="employeeId"

1 OR (SELECT SLEEP(5))

As we can see, the response is delayed 5 seconds because it is executing the Sleep.

The second vulnerable code is on returnAdvancePaymentSubmit, on line 3884, where the returnAdvancePaymentEmployee is also appended without quotes:

Loan-Management

The vulnerable php code is in module/loan-management/ajax.php.

There are 2 different points where an SQL Injection can be triggered with id and loanBorrower parameter.

First of them is on line 269, on editLoan operation. The parameter id is obtained from query on line 262 and it is sanitized with safe_input method.

However, the parameter is setted on the SQL Query assuming that is an Integer and it is not enforced using quotes:

That's why we can inject malicious SQL Queries as:

1+AND+(SELECT+SLEEP(5))

As we can see, the response is delayed 5 seconds because it is executing the Sleep.

The second vulnerable code is on addNewInstallment, on line 745, where the loanBorrower is also appended without quotes:

In all this cases, the fix is the same as on the other bounty stated above.

Impact

A user with administrator privileges can run SQL queries on database. This can be used to retrieve sensitive data, change database information or any other malicious activity against the database.

We are processing your report and will contact the unilogies/bumsys team within 24 hours. a month ago
Khurshid Alam validated this vulnerability a month ago
Jordi Miralles has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Khurshid Alam marked this as fixed in 2.2.0 with commit e71c02 a month ago
Khurshid Alam has been awarded the fix bounty
This vulnerability will not receive a CVE
Khurshid Alam published this vulnerability a month ago
ajax.php#L745 has been validated
ajax.php#L269 has been validated
ajax.php#L3884 has been validated
ajax.php#L1563 has been validated
Jordi Miralles
22 days ago

Researcher

Hi @maintainer, can I get a CVE for this report?

to join this conversation