A user with the ‘create’ or ‘update’ permissions can inject a parameter to create or edit arbitrary contact records. For example, the following request creates an arbitrary contact record: injection-list/admin/contact/list?contact_id=’; DROP TABLE ‘; - 1;’;’ 1 injection-list/admin/contact/list?contact_id=’; DROP TABLE ‘; - 1;’;’ In addition, the following request deletes an arbitrary contact record: injection-list/admin/contact/delete?contact_id=’; - 1;’;’ 1 injection-list/admin/contact/delete?contact_id=’; - 1;’;’ Additionally, the following request updates an arbitrary contact record: injection-list/admin/contact/edit?contact_id=’; - 1;’;’ 1 injection-list/admin/contact/edit?contact_id=’; - 1;’;’ These are just a few examples of how a remote attacker can exploit this vulnerability to gain access to critical information that can be used to steal authentication credentials or perform other malicious actions.

Vulnerable Configuration

The ‘create’ and ‘update’ permissions must be accessible to users with ‘admin’ or ‘manager’ privileges.
The vulnerable parameter appears in the following URLs, where the value of contact_id is a number: injection-list/admin/contact/list?contact_id=1; injection-list/admin/contact/delete?contact_id=1; injection-list/admin/contact/edit?contact_id=1.

Manual Vulnerability Assessment

When performing a manual vulnerability assessment, it is recommended to run the following queries:
1. injection-list/admin/contact/list?contact_id=’; DROP TABLE ‘; - 1;’;’
2. injection-list/admin/contact/list?contact_id=’; CREATE TABLE ‘; - 1;’
3. injection-list/admin/contact/delete?contact_id=’; - 1;’
4. injection-list/admin/contact/edit?contact_id=’; - 1;’
5. injection-list/admin/user?username=root
6. injection-list/*

Vulnerability Details

The vulnerability is caused by insufficient authorization checks on the application. A remote attacker can exploit this vulnerability to inject a parameter to create or edit arbitrary contact records.

Affected Products and Versions

This vulnerability affects all versions of injection-list/admin/contact, starting with injection-list/admin/contact version 2.2-beta.0 released on April 3, 2018.

Vulnerability Details

The vulnerability allows a remote attacker to create, update, or delete arbitrary contact records.
A remote attacker can insert a special parameter that is not used elsewhere in the SQL statement to modify the contact record. This parameter will be added to any query that starts with "INSERT INTO".
An attacker would need to have a valid SQL injection vulnerability on the application and access to perform this attack.

Timeline

Published on: 09/09/2022 14:15:00 UTC
Last modified on: 09/13/2022 16:43:00 UTC

References