SQL Injection in '/module/accounts/ajax.php' in unilogies/bumsys


Reported on

Mar 2nd 2023


There exists an SQL injection affecting the ['order'][0]['dir'], start and length parameters located in the file /module/accounts/ajax.php

Let's take a look at the following code: https://github.com/unilogies/bumsys/blob/9dc2de204116297a7e528c38bc3b1e89bf40f907/module/accounts/ajax.php#L1503

        group by company_id order by company_name ". safe_input($requestData['order'][0]['dir']) ."
        LIMIT ". safe_input($requestData['start']) .", ". safe_input($requestData['length']) ."

Even though the input variables are sanitized, there are no quotes needed to inject into the SQL query.


Sanitize ['order'][0]['dir'], start and length parameters


Authenticated users are able to disclose the contents of the database.

We are processing your report and will contact the unilogies/bumsys team within 24 hours. 3 months ago
We have contacted a member of the unilogies/bumsys team and are waiting to hear back 3 months ago
Khurshid Alam validated this vulnerability 3 months ago
TsarSec has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Khurshid Alam marked this as fixed in 2.2.0 with commit 1b426f a month ago
Khurshid Alam has been awarded the fix bounty
This vulnerability will not receive a CVE
Khurshid Alam published this vulnerability a month ago
to join this conversation