Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
talosTalos IntelligenceTALOS-2017-0313
HistoryJul 19, 2017 - 12:00 a.m.

ProcessMaker Enterprise Core Multiple SQL Injection Vulnerabilities

2017-07-1900:00:00
Talos Intelligence
www.talosintelligence.com
55

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

0.001 Low

EPSS

Percentile

26.8%

JSON

Summary

Multiple exploitable SQL Injection vulnerabilities exists in ProcessMarker Enterprise Core 3.0.1.7-community. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and in certain setups access the underlying operating system.

Tested Versions

ProcessMaker Enterprise Core 3.0.1.7-community

Product URLs

<https://www.processmaker.com/community-2&gt;

CVSSv3 Score

7.4 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command (β€˜SQL Injection’)

Details

SQL injection has been found and confirmed within ProcessMarker Enterprise Core. A successful attack could allow an attacker to access information such as usernames and password hashes that are stored in the database.

The following URLs and parameters have been confirmed to suffer from SQL injections and could be exploited by autenticated attackers:

GET /sysworkflow/en/neoclassic/events/eventsAjax?
request=eventList&start=1&limit=25&process=1&type=1&status=1&sort=[SQL INJECTION]&dir=ASC           
HTTP/1.1
Host: box
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: workspaceSkin=neoclassic; PHPSESSID=PCSLlabz
Connection: close

POST /sysworkflow/en/neoclassic/cases/proxyPMTablesSaveFields.php HTTP/1.1
Host: box
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://box/sysworkflow/en/neoclassic/login/authentication.php
Cookie: workspaceSkin=neoclassic; PHPSESSID=PCSLlabz
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 84

callback=1&dir=1&sort=[SQL INJECTION]&query=1&table=1&action=1
POST /sysworkflow/en/neoclassic/cases/proxyProcessList.php?t=1&callback=a&dir=/&query=13 
HTTP/1.1
Host: box
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://box/sysworkflow/en/neoclassic/login/authentication.php
Cookie: workspaceSkin=neoclassic; PHPSESSID=PCSLlabz
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 8

sort=[SQL INJECTION]
GET /sysworkflow/en/neoclassic/tools/translationsAjax.php?function=changeLabel&cat=1[SQL 
INJECTION]&node=1&lang=1&langLabel=1&label=1 HTTP/1.1
Host: box
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://box/sysworkflow/en/neoclassic/login/authentication.php
Cookie: workspaceSkin=neoclassic; PHPSESSID=PCSLlabz
Connection: close
GET /sysworkflow/en/neoclassic/tools/translationsAjax.php?
function=changeLabel&cat=1&node=1&lang=1[SQL INJECTION]&langLabel=1&label=1 HTTP/1.1
Host: box
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://box/sysworkflow/en/neoclassic/login/authentication.php
Cookie: workspaceSkin=neoclassic; PHPSESSID=PCSLlabz
Connection: close
GET /sysworkflow/en/neoclassic/tools/translationsAjax.php?
function=changeLabel&cat=1&node=1[SQL INJECTION]&lang=1&langLabel=1&label=1 HTTP/1.1
Host: box
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://box/sysworkflow/en/neoclassic/login/authentication.php
Cookie: workspaceSkin=neoclassic; PHPSESSID=PCSLlabz
Connection: close
GET /sysworkflow/en/neoclassic/tools/translationsAjax.php?function=changeLabel&cat=1[SQL 
INJECTION]&node=1&lang=1&langLabel=1&label=1 HTTP/1.1
Host: box
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://box/sysworkflow/en/neoclassic/login/authentication.php
Cookie: workspaceSkin=neoclassic; PHPSESSID=PCSLlabz
Connection: close
GET /sysworkflow/en/neoclassic/tools/translationsAjax.php?   
function=changeLabel&cat=1&node=1&lang=1[SQL INJECTION]&langLabel=1&label=1 HTTP/1.1
Host: box
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://box/sysworkflow/en/neoclassic/login/authentication.php
Cookie: workspaceSkin=neoclassic; PHPSESSID=PCSLlabz
Connection: close
GET /sysworkflow/en/neoclassic/tools/translationsAjax.php?   
function=changeLabel&cat=1&node=1[SQL INJECTION]&lang=1&langLabel=1&label=1 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://box/sysworkflow/en/neoclassic/login/authentication.php
Cookie: workspaceSkin=neoclassic; PHPSESSID=PCSLlabz
Connection: close

Unauthenticated SQL injection:

GET /gulliver/genericAjax?request=storeInTmp&pkt=int&pk=[SQL Injection]&table=a[SQL 
Injection]&cnn=[CONNECTION NAME] HTTP/1.1
Host: 192.168.56.101
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close Note: For this SQL injection to work a 'cnn' parameter needs to be know as that is the parameter used to establish the connection with the database. The following code which can be directly invoked from the server presents this issue:

gulliver/methods/genericAjax.php
    	173     case 'storeInTmp':
174       try {
177         $con = Propel::getConnection($_GET['cnn']);
178         if($_GET['pkt'] == 'int'){
179           $rs = $con-&gt;executeQuery("SELECT MAX({$_GET['pk']}) as lastId FROM {$_GET['table']};");
180           $rs-&gt;next();
181           $row = $rs-&gt;getRow();
182           $gKey = (int)$row['lastId'] + 1;
183
184         } else {
185           $gKey = G::encryptOld(date('Y-m-d H:i:s').'@'.rand());
186         }
187
188         $rs = $con-&gt;executeQuery("INSERT INTO {$_GET['table']} ({$_GET['pk']}, {$_GET['fld']}) 
VALUES ('$gKey', '{$_GET['value']}');");
189
190         echo "{status: 1, message: \"success\"}";
191       } catch (Exception $e) {
192         $err = $e-&gt;getMessage();
193         //$err = eregi_replace("[\n|\r|\n\r]", ' ', $err);
194         $err = preg_replace("[\n|\r|\n\r]", " ", $err); //Made compatible to PHP 5.3
195
196         echo "{status: 0, message: \"" . $err . "\"}";
197       }
198       break;
199   }
200 }

Mitigation

Restrict access to known, trusted users and hosts.

Timeline

2016-02-15 - Vendor Disclosure
2017-07-19 - Public Release

Related

prion 1
cve 1
seebug 1
nvd 1
cvelist 1
talosblog 1
prion
prion
Sql injection
2018-09-10 16:29:00
cve
cve
CVE-2016-9048
2018-09-10 16:29:00
seebug
seebug
ProcessMaker Enterprise Core Multiple SQL Injection Vulnerabilities(CVE-2016-9048)
2017-09-14 00:00:00
nvd
nvd
CVE-2016-9048
2018-09-10 16:29:00
cvelist
cvelist
CVE-2016-9048
2017-07-19 00:00:00
talosblog
talosblog
Vulnerabilities in ProcessMaker, WebFOCUS, and OpenFire Identified and Patched
2017-07-19 09:13:00

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

0.001 Low

EPSS

Percentile

26.8%

JSON
Related for TALOS-2017-0313
prion1cve1seebug1nvd1cvelist1talosblog1