Search...

ProcessMaker sort parameter multiple SQL Injection Vulnerabilities

2020-11-17T00:00:00

ID TALOS-2020-1126
Type talos
Reporter Talos Intelligence
Modified 2020-11-17T00:00:00

Description

Talos Vulnerability Report

TALOS-2020-1126

ProcessMaker sort parameter multiple SQL Injection Vulnerabilities

November 17, 2020

CVE Number

CVE-2020-13525, CVE-2020-13526

Summary

Multiple SQL injection vulnerabilities exist in the handling of sort parameters in ProcessMaker 3.4.11. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.

Tested Versions

ProcessMaker 3.4.11

Product URLs

<https://www.processmaker.com/>

CVSSv3 Score

6.4 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

Details

ProcessMaker is a software suite used for workflow management. It can be used to automate workflow, create documents, assign roles and users to processes and more

It has an open-source community version and a commercial version. It is used by many large companies such as Airbus, Sony and Bridgestone.

The reportTables_Ajax and clientSetupAjax pages are vulnerable to SQL injection in the sort parameter.

CVE-2020-13525 - reportTables_Ajax page

The sort parameter in the download page /sysworkflow/en/neoclassic/reportTables/reportTables_Ajax is vulnerable to SQL injection.

Below is an example request that will trigger the vulnerability:

POST /sysworkflow/en/neoclassic/reportTables/reportTables_Ajax HTTP/1.1
Host: [IP]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 82
Origin: http://[IP]
DNT: 1
Connection: close
Referer: http://[IP]/sysworkflow/en/neoclassic/processes/mainInit
Cookie: PM-Warning=Warning%3A+Processmaker+does+not+permit+you+to+open+multiple+tabs+in+the+same+browser+session+because+of+security+restrictions.++This+page+will+be+closed.; workspaceSkin=neoclassic; PHPSESSID=ja3jegutcirelr3g3tid62tcoq; PM-TabPrimary=101010010; singleSignOn=0

start=0&limit=20&option=UPD&pageSize=20&search=&sort=[SQL INJECTION]&action=list&dir=1

The sort parameter is passed to ‘reportTables_Ajax.php’ on line 304 before being passed to AdditionalTables function which eventually being used as part of an ORDER BY query in ‘workflow/engine/classes/model/om/BaseAdditionalTablesPeer.php’ source file at line 353.

297         $limit = isset( $_REQUEST['limit'] ) ? $_REQUEST['limit'] : $limit_size;
298         $filter = isset( $_REQUEST['textFilter'] ) ? $_REQUEST['textFilter'] : '';
299         $pro_uid = isset( $_REQUEST['pro_uid'] ) ? $_REQUEST['pro_uid'] : '';
300
301         $process = $pro_uid == '' ? array ('not_equal' =&gt; $pro_uid
302         ) : array ('equal' =&gt; $pro_uid
303         );
304         $addTab = AdditionalTables::getAll( $start, $limit, $filter, $process );

CVE-2020-13526 - clientSetupAjax page

The ‘sort’ parameter in the download page clientSetupAjax is vulnerable to SQL injection.

Below is an example request that will trigger the vulnerability:

POST /sysworkflow/en/neoclassic/oauth2/clientSetupAjax HTTP/1.1
Host: [IP]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 74
Origin: https://[IP]
DNT: 1
Connection: close
Referer: https://[IP]/sysworkflow/en/neoclassic/oauth2/clientSetup
Cookie: PM-Warning=Warning%3A+Processmaker+does+not+permit+you+to+open+multiple+tabs+in+the+same+browser+session+because+of+security+restrictions.++This+page+will+be+closed.; workspaceSkin=neoclassic; PHPSESSID=fnqndjde6cctk4rtpjgp63eru7; PM-TabPrimary=101010010; pm_sys_sys={"sys_sys": "workflow"}; singleSignOn=0

start=0&limit=20&option=LST&pageSize=20&search=&sort=CLIENT_NAME[SQL INJECTION]&dir=ASC

The sort parameter is vulnerabile to SQL Injection in workflow/engine/methods/oauth2/clientSetupAjax.php on line 76. The parameter eventually formulates a query which will be executed in the backend database after the getAll function is called.

 72     case "LST":
 73         $pageSize = $_POST["pageSize"];
 74         $search = $_POST["search"];
 75
 76         $sortField = (isset($_POST["sort"]))? $_POST["sort"]: "";
 77         $sortDir   = (isset($_POST["dir"]))? $_POST["dir"]: "";
 78         $start = (isset($_POST["start"]))? $_POST["start"]: 0;
 79         $limit = (isset($_POST["limit"]))? $_POST["limit"]: $pageSize;
 80
 81         try {
 82             $oclient = new OauthClients();
 83             $result = $oclient-&gt;getAll(array("USR_UID" =&gt; $_SESSION["USER_LOGGED"], "SEARCH" =&gt; $search), $sortField, $sortDir, $start, $limit);
 84
 85             $response["status"]  = "OK";
 86             $response["success"] = true;
 87             $response["resultTotal"] = $result["numRecTotal"];
 88             $response["resultRoot"]  = $result["data"];
 89         } catch (Exception $e) {
 90             $response["status"]  = "ERROR";
 91             $response["message"] = $e-&gt;getMessage();
 92         }
 93         break;
 94 }
 95
 96 echo G::json_encode($response);

Timeline

2020-07-21 - Vendor Disclosure
2020-10-21 - Disclosure release deadline extended 30 days
2020-11-04 - Vendor acknowledged timeline for patch
2020-11-17 - Public Release

Credit

Discovered by Yuri Kramarz of Cisco Talos.

Vulnerability Reports Next Report

TALOS-2020-1199

Previous Report

TALOS-2020-1125

JSON Vulners Source

Initial Source

{"id": "TALOS-2020-1126", "bulletinFamily": "info", "title": "ProcessMaker sort parameter multiple SQL Injection Vulnerabilities", "description": "# Talos Vulnerability Report\n\n### TALOS-2020-1126\n\n## ProcessMaker sort parameter multiple SQL Injection Vulnerabilities\n\n##### November 17, 2020\n\n##### CVE Number\n\nCVE-2020-13525, CVE-2020-13526\n\n### Summary\n\nMultiple SQL injection vulnerabilities exist in the handling of sort parameters in ProcessMaker 3.4.11. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.\n\n### Tested Versions\n\nProcessMaker 3.4.11\n\n### Product URLs\n\n<https://www.processmaker.com/>\n\n### CVSSv3 Score\n\n6.4 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\n\n### CWE\n\nCWE-89 - Improper Neutralization of Special Elements used in an SQL Command (\u2018SQL Injection\u2019)\n\n### Details\n\nProcessMaker is a software suite used for workflow management. It can be used to automate workflow, create documents, assign roles and users to processes and more\n\nIt has an open-source community version and a commercial version. It is used by many large companies such as Airbus, Sony and Bridgestone.\n\nThe `reportTables_Ajax` and `clientSetupAjax` pages are vulnerable to SQL injection in the `sort` parameter.\n\n#### CVE-2020-13525 - reportTables_Ajax page\n\nThe `sort` parameter in the download page `/sysworkflow/en/neoclassic/reportTables/reportTables_Ajax` is vulnerable to SQL injection.\n\nBelow is an example request that will trigger the vulnerability:\n \n \n POST /sysworkflow/en/neoclassic/reportTables/reportTables_Ajax HTTP/1.1\n Host: [IP]\n User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0\n Accept: */*\n Accept-Language: en-GB,en;q=0.5\n Accept-Encoding: gzip, deflate\n X-Requested-With: XMLHttpRequest\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n Content-Length: 82\n Origin: http://[IP]\n DNT: 1\n Connection: close\n Referer: http://[IP]/sysworkflow/en/neoclassic/processes/mainInit\n Cookie: PM-Warning=Warning%3A+Processmaker+does+not+permit+you+to+open+multiple+tabs+in+the+same+browser+session+because+of+security+restrictions.++This+page+will+be+closed.; workspaceSkin=neoclassic; PHPSESSID=ja3jegutcirelr3g3tid62tcoq; PM-TabPrimary=101010010; singleSignOn=0\n \n start=0&limit=20&option=UPD&pageSize=20&search=&sort=[SQL INJECTION]&action=list&dir=1\n \n\nThe `sort` parameter is passed to \u2018reportTables_Ajax.php\u2019 on line 304 before being passed to AdditionalTables function which eventually being used as part of an `ORDER BY` query in \u2018workflow/engine/classes/model/om/BaseAdditionalTablesPeer.php\u2019 source file at line 353.\n \n \n 297 $limit = isset( $_REQUEST['limit'] ) ? $_REQUEST['limit'] : $limit_size;\n 298 $filter = isset( $_REQUEST['textFilter'] ) ? $_REQUEST['textFilter'] : '';\n 299 $pro_uid = isset( $_REQUEST['pro_uid'] ) ? $_REQUEST['pro_uid'] : '';\n 300\n 301 $process = $pro_uid == '' ? array ('not_equal' => $pro_uid\n 302 ) : array ('equal' => $pro_uid\n 303 );\n 304 $addTab = AdditionalTables::getAll( $start, $limit, $filter, $process );\n \n\n#### CVE-2020-13526 - clientSetupAjax page\n\nThe \u2018sort\u2019 parameter in the download page clientSetupAjax is vulnerable to SQL injection.\n\nBelow is an example request that will trigger the vulnerability:\n \n \n POST /sysworkflow/en/neoclassic/oauth2/clientSetupAjax HTTP/1.1\n Host: [IP]\n User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0\n Accept: */*\n Accept-Language: en-GB,en;q=0.5\n Accept-Encoding: gzip, deflate\n X-Requested-With: XMLHttpRequest\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n Content-Length: 74\n Origin: https://[IP]\n DNT: 1\n Connection: close\n Referer: https://[IP]/sysworkflow/en/neoclassic/oauth2/clientSetup\n Cookie: PM-Warning=Warning%3A+Processmaker+does+not+permit+you+to+open+multiple+tabs+in+the+same+browser+session+because+of+security+restrictions.++This+page+will+be+closed.; workspaceSkin=neoclassic; PHPSESSID=fnqndjde6cctk4rtpjgp63eru7; PM-TabPrimary=101010010; pm_sys_sys={\"sys_sys\": \"workflow\"}; singleSignOn=0\n \n start=0&limit=20&option=LST&pageSize=20&search=&sort=CLIENT_NAME[SQL INJECTION]&dir=ASC\n \n\nThe `sort` parameter is vulnerabile to SQL Injection in `workflow/engine/methods/oauth2/clientSetupAjax.php` on line 76. The parameter eventually formulates a query which will be executed in the backend database after the `getAll` function is called.\n \n \n 72 case \"LST\":\n 73 $pageSize = $_POST[\"pageSize\"];\n 74 $search = $_POST[\"search\"];\n 75\n 76 $sortField = (isset($_POST[\"sort\"]))? $_POST[\"sort\"]: \"\";\n 77 $sortDir = (isset($_POST[\"dir\"]))? $_POST[\"dir\"]: \"\";\n 78 $start = (isset($_POST[\"start\"]))? $_POST[\"start\"]: 0;\n 79 $limit = (isset($_POST[\"limit\"]))? $_POST[\"limit\"]: $pageSize;\n 80\n 81 try {\n 82 $oclient = new OauthClients();\n 83 $result = $oclient->getAll(array(\"USR_UID\" => $_SESSION[\"USER_LOGGED\"], \"SEARCH\" => $search), $sortField, $sortDir, $start, $limit);\n 84\n 85 $response[\"status\"] = \"OK\";\n 86 $response[\"success\"] = true;\n 87 $response[\"resultTotal\"] = $result[\"numRecTotal\"];\n 88 $response[\"resultRoot\"] = $result[\"data\"];\n 89 } catch (Exception $e) {\n 90 $response[\"status\"] = \"ERROR\";\n 91 $response[\"message\"] = $e->getMessage();\n 92 }\n 93 break;\n 94 }\n 95\n 96 echo G::json_encode($response);\n \n\n### Timeline\n\n2020-07-21 - Vendor Disclosure \n2020-10-21 - Disclosure release deadline extended 30 days \n2020-11-04 - Vendor acknowledged timeline for patch \n2020-11-17 - Public Release\n\n##### Credit\n\nDiscovered by Yuri Kramarz of Cisco Talos. \n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2020-1199\n\nPrevious Report\n\nTALOS-2020-1125\n", "published": "2020-11-17T00:00:00", "modified": "2020-11-17T00:00:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1126", "reporter": "Talos Intelligence", "references": [], "cvelist": ["CVE-2020-13526", "CVE-2020-13525"], "type": "talos", "lastseen": "2021-04-06T01:28:23", "edition": 4, "viewCount": 71, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-13526", "CVE-2020-13525"]}], "modified": "2021-04-06T01:28:23", "rev": 2}, "score": {"value": 5.8, "vector": "NONE", "modified": "2021-04-06T01:28:23", "rev": 2}, "vulnersScore": 5.8}, "scheme": null, "immutableFields": []}

{"cve": [{"lastseen": "2021-02-02T07:36:58", "description": "The sort parameter in the download page /sysworkflow/en/neoclassic/reportTables/reportTables_Ajax is vulnerable to SQL injection in ProcessMaker 3.4.11. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-03T18:15:00", "title": "CVE-2020-13525", "type": "cve", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13525"], "modified": "2020-12-04T14:29:00", "cpe": ["cpe:/a:processmaker:processmaker:3.4.11"], "id": "CVE-2020-13525", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13525", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:processmaker:processmaker:3.4.11:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:36:58", "description": "SQL injection vulnerability exists in the handling of sort parameters in ProcessMaker 3.4.11. A specially crafted HTTP request can cause an SQL injection. The reportTables_Ajax and clientSetupAjax pages are vulnerable to SQL injection in the sort parameter.An attacker can make an authenticated HTTP request to trigger these vulnerabilities.", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-10T23:15:00", "title": "CVE-2020-13526", "type": "cve", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13526"], "modified": "2020-12-11T16:55:00", "cpe": ["cpe:/a:processmaker:processmaker:3.4.11"], "id": "CVE-2020-13526", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13526", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:processmaker:processmaker:3.4.11:*:*:*:*:*:*:*"]}]}