SQL Injection in expenses/ajax.php & loan-management/ajax.php in unilogies/bumsys

Valid

Reported on

Apr 27th 2023


Description

An administrator user can use different operations and parameters to execute SQL queries.

-employeeId on operation addMonthlySalary in expenses/ajax.php.

-returnAdvancePaymentEmployee on operation returnAdvancePaymentSubmit, in expenses/ajax.php.

-id on operation editLoan in loan-management/ajax.php.

-loanBorrower on operation addNewInstallment in loan-management/ajax.php.

A similar case was reported and fixed on productDetailsForReturn operation in this bounty, but this endpoints are still vulnerable.

Proof of Concept

Expenses

The vulnerable php code is in module/expenses/ajax.php.

There are 2 different points where an SQL Injection can be triggered with employeeId and returnAdvancePaymentEmployee parameter.

First of them is on line 1563, on addMonthlySalary operation. The parameter employeeId is obtained from query on line 1544 and it is sanitized with safe_input method.

However, the parameter is setted on the SQL Query assuming that is an Integer and it is not enforced using quotes:

That's why we can inject malicious SQL Queries as:

Content-Disposition: form-data; name="employeeId"

1 OR (SELECT SLEEP(5))

As we can see, the response is delayed 5 seconds because it is executing the Sleep.


The second vulnerable code is on returnAdvancePaymentSubmit, on line 3884, where the returnAdvancePaymentEmployee is also appended without quotes:

Loan-Management

The vulnerable php code is in module/loan-management/ajax.php.

There are 2 different points where an SQL Injection can be triggered with id and loanBorrower parameter.

First of them is on line 269, on editLoan operation. The parameter id is obtained from query on line 262 and it is sanitized with safe_input method.

However, the parameter is setted on the SQL Query assuming that is an Integer and it is not enforced using quotes:

That's why we can inject malicious SQL Queries as:

1+AND+(SELECT+SLEEP(5))

As we can see, the response is delayed 5 seconds because it is executing the Sleep.


The second vulnerable code is on addNewInstallment, on line 745, where the loanBorrower is also appended without quotes:


In all this cases, the fix is the same as on the other bounty stated above.

Impact

A user with administrator privileges can run SQL queries on database. This can be used to retrieve sensitive data, change database information or any other malicious activity against the database.

We are processing your report and will contact the unilogies/bumsys team within 24 hours. 10 months ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 10 months ago
Khurshid Alam validated this vulnerability 10 months ago
jomc98 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Khurshid Alam marked this as fixed in 2.2.0 with commit e71c02 10 months ago
Khurshid Alam has been awarded the fix bounty
This vulnerability has now been published 10 months ago
ajax.php#L745 has been validated
ajax.php#L269 has been validated
ajax.php#L3884 has been validated
ajax.php#L1563 has been validated
Jordi Miralles
10 months ago

Researcher


Hi @maintainer, can I get a CVE for this report?

to join this conversation