CVE-2022-45962 Postauth SQLI
Authenticated SQL Injection in openSIS classic prior to 9.0.
Last updated
Was this helpful?
Authenticated SQL Injection in openSIS classic prior to 9.0.
Last updated
Was this helpful?
openSIS is a commercial grade, secure, scalable & intuitive Student Information System, School Management Software from OS4ED. Has all functionalities to run single or multiple institutions in one installation. Web based, php code, MySQL database.
Maintained by , openSIS is advertised as an open source Student Information System and comes in two versions: Community and Pro. The source code is available on GitHub .
During a code review of the application I noticed the following lines in :
As we can see in the first line, openSIS developers sanitized the event_id
paramater in order to prevent SQL injection in the first if
branch. However, should this parameter be empty, there's another one being used to build a different query in the else
branch.
The query can be reduced to this format:
Apparently, the request parameter assignment_id
is concatenated to the condition of a SELECT
statement used to retrieve some information from the database.
Since this site is accessible only by authenticated users, an adversary would need a valid set of credentials. Beware that this also includes any student account.
Knowing the injectable query, we can craft a specific payload for exploitation:
Successful exploitation may lead to a full database information disclosure. The database contains PII of both students and teachers as well as grades, settings and the passwords of all users.
The parameter is now passed to a filter that includes mysqli_real_escape_string
before being used in the query. Although best practices would dictate the use of parameterized queries, the injection should now no longer be possible.
Self assigned CVSS score: with a base score of 6.5.
After contacting the vendor, the vulnerability was soon acknowledged and has now been addressed in the latest release. The fix can be found in this commit: .