View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0027495 | mantisbt | security | public | 2020-11-10 16:31 | 2020-12-30 07:37 |
Reporter | ethicalhcop | Assigned To | dregad | ||
Priority | high | Severity | crash | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Target Version | 2.24.4 | Fixed in Version | 2.24.4 | ||
Summary | 0027495: CVE-2020-28413: SQL injection in the parameter "access" on the mc_project_get_users function throught the API SOAP. | ||||
Description | Throught the function mc_project_get_users on the API SOAP, it's possible to inject SQL commands in the parameter "access". So, creating an union select query, it's possible generate a blind sql using the IF funcion on the database to discover the different data on the application like passwords hash. Also, it's possible to exploit it using SQLMap. | ||||
Steps To Reproduce | 1- start up burp suite Also, you can make it manually | ||||
Additional Information | According cvss 3.1 The CVE is Reserved. The solution more closer is make a parametrization in the SQL queries and evade to insert parameters directly on the query. | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
Summary: |
|
Hello, Many thanks for your report and responsible disclosure. I believe that the vulnerability you discovered, should be fixed in the current master branch (2.25.0-dev since commit MantisBT master 682a182d ). Would you be able to test again to confirm, using the latest nightly build ? |
|
The code in project API allowing the SQL injection by not using query parameters exists at least since 1.0.0.a1. The exploitable vulnerability via SOAP API described here, exists since 1.1.0a4. @ethicalhcop waiting for your confirmation that code in master branch is no longer vulnerable (as far as I can tell, it is not). |
|
Hello dregad. Yes sure, let me try again in the night and report you tomorrow :D ! Regards. |
|
Hello. let me tell you that I retest the app again in the bb10211 compilation and the vulnerability was fixed successfully. So, remember that I will make the public divulgation at December 11. Regularly I do a walkthrought and write a script to exploit the vulnerability , I don't know if do you have some protocol. |
|
Not sure what you mean by protocol. |
|
Perfect ! thank you for all. |
|
@ethicalcop, I'm sorry, but the December 11 deadline you set might turn out to be a little short, as I have a series of other security issues that I'm still working on, and I'm not 100% sure at this time, that I'll have everything ready by Friday. Would you mind postponing your going public by a few days ? I'll give you the green light as soon as I'm done. |
|
@ethicalhcop Thanks for your understanding. I'll ping you here as soon as I'm ready. |
|
Thanks for the heads up. I was hoping to finalize fixing the other issues last week-end but unfortunately didn't have enough time. So now there are a few options (in my order of preference / feasibility):
Let me know your thoughts. |
|
MantisBT: master 3e37b404 2020-11-21 00:34 Details Diff |
Fix SQL injection in Project API The query's where clause in project_get_all_user_rows() was built by concatenating an unsanitized variable, allowing SQL injection via SOAP API's mc_project_get_users() function using a crafted request. Relying on DbQuery object ensures use of query parameters, making the SQL injection impossible. Partial backport from commit 682a182d4b2ae9abd2edb9c2ed40eb80723988b1. Fixes 0027495, CVE-2020-28413 |
Affected Issues 0027495 |
|
mod - core/project_api.php | Diff File |