bumsys

Valid

Reported on

Mar 2nd 2023

Description

There exists an SQL injection affecting the ['order'][0]['dir'], start and length parameters located in the file /module/accounts/ajax.php

Let's take a look at the following code: https://github.com/unilogies/bumsys/blob/9dc2de204116297a7e528c38bc3b1e89bf40f907/module/accounts/ajax.php#L1503

        group by company_id order by company_name ". safe_input($requestData['order'][0]['dir']) ."
        LIMIT ". safe_input($requestData['start']) .", ". safe_input($requestData['length']) ."

Even though the input variables are sanitized, there are no quotes needed to inject into the SQL query.

Fix

Sanitize ['order'][0]['dir'], start and length parameters

Impact

Authenticated users are able to disclose the contents of the database.

We are processing your report and will contact the unilogies/bumsys team within 24 hours. 3 months ago

We have contacted a member of the unilogies/bumsys team and are waiting to hear back 3 months ago

Khurshid Alam validated this vulnerability 3 months ago

TsarSec has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Khurshid Alam marked this as fixed in 2.2.0 with commit 1b426f a month ago

Khurshid Alam has been awarded the fix bounty

This vulnerability will not receive a CVE

Khurshid Alam published this vulnerability a month ago

to join this conversation