GHSA-69wx-xc6j-28v3

Suggest an improvement
Source
https://github.com/advisories/GHSA-69wx-xc6j-28v3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-69wx-xc6j-28v3/GHSA-69wx-xc6j-28v3.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-69wx-xc6j-28v3
Aliases
Published
2024-07-29T16:31:46Z
Modified
2024-07-29T16:56:56.624294Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
  • 9.4 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
Summary
Admidio has Blind SQL Injection in ecard_send.php
Details

Description:

An SQL Injection has been identified in the /adm_program/modules/ecards/ecard_send.php source file of the Admidio Application. The SQL Injection results in a compromise of the application's database. The value of ecard_recipientsPOST parameter is being directly concatenated with the SQL query in the source code causing the SQL Injection.

The SQL Injection can be exploited by a member user, using blind condition-based, time-based, and Out of band interaction SQL Injection payloads. I successfully exploited SQL Injections by causing Time Delays. Advancing the payload, I was able to exfiltrate data from the database based on trial and error conditions and step-wise enumerating the characters of the database name. This was done as a POC of SQL Injection. An attacker could simply drop the database by providing a single payload, steal data, and potentially update the database according to their will.

Impact:

SQL injection (SQLi) vulnerabilities can have serious consequences for the security of a web application and its underlying database. Attackers can use SQLi to access sensitive data, and modify, delete, or add data to the database. SQLi can also be potentially used to perform RCE.

Remediation:

Use parameterized queries or prepared statements instead of concatenating user input directly into SQL queries. Parameterized queries ensure that user input is treated as data and not executable queries. OR Sanitize the input before including it in the SQL Query.

Steps to Reproduce:

  • Intercept the POST request to /adm_program/modules/ecards/ecard_send.php, which is used to send photo as greeting card.
  • Change the value of ecard_recipients%5B%5D POST parameter to 2%2bsleep(10).
  • Sending the request will cause a time delay.

Proof Of Concept:

image Figure 1: Code Vulnerable to SQL Injection

image Figure 2: Code Vulnerable to SQL Injection

image Figure 3: SQLi to trigger time delay

image Figure 4: Data Exfiltration via Condition-based Time Delays

Database specific 
{
    "nvd_published_at": "2024-07-29T15:15:10Z",
    "cwe_ids": [
        "CWE-89"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-29T16:31:46Z"
}
References

Affected packages

Packagist / admidio/admidio

Package

Name
admidio/admidio
Purl
pkg:composer/admidio/admidio

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.3.9

Affected versions

4.*

4.1.0
4.1.3

v4.*

v4.2-Beta.1
v4.2-Beta.2
v4.2-Beta.3
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.2.4
v4.2.5
v4.2.6
v4.2.7
v4.2.8
v4.2.9
v4.2.10
v4.2.11
v4.2.12
v4.2.13
v4.2.14
v4.3-Beta.1
v4.3-Beta.3
v4.3-Beta.4
v4.3-Beta.5
v4.3.0
v4.3.1
v4.3.2
v4.3.3
v4.3.4
v4.3.5
v4.3.6
v4.3.7
v4.3.8