SQL Injection in '/module/accounts/ajax.php' in unilogies/bumsys

Valid

Reported on

Mar 2nd 2023


Description

There exists an SQL injection affecting the ['order'][0]['dir'], start and length parameters located in the file /module/accounts/ajax.php

Let's take a look at the following code: https://github.com/unilogies/bumsys/blob/9dc2de204116297a7e528c38bc3b1e89bf40f907/module/accounts/ajax.php#L1503

        group by company_id order by company_name ". safe_input($requestData['order'][0]['dir']) ."
        LIMIT ". safe_input($requestData['start']) .", ". safe_input($requestData['length']) ."

Even though the input variables are sanitized, there are no quotes needed to inject into the SQL query.

Fix

Sanitize ['order'][0]['dir'], start and length parameters

Impact

Authenticated users are able to disclose the contents of the database.

We are processing your report and will contact the unilogies/bumsys team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
We have contacted a member of the unilogies/bumsys team and are waiting to hear back a year ago
Khurshid Alam validated this vulnerability a year ago
tsarsecurity has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Khurshid Alam marked this as fixed in 2.2.0 with commit 1b426f 10 months ago
Khurshid Alam has been awarded the fix bounty
This vulnerability has now been published 10 months ago
to join this conversation