=============================================================================== title: Tuleap SQL Injection case id: CM-2018-01 product: Tuleap version 9.17.99.189 vulnerability type: Blind SQL injection - time based severity: High found: 2018-02-24 by: Cristiano Maruti (@cmaruti) =============================================================================== [EXECUTIVE SUMMARY] Enalean Tuleap is a project management system for application lifecycles management, agile development and design projects, requirement management, IT services management, and so on. The analysis discovered a time-based blind SQL injection vulnerability (OTG-INPVAL-005) in the tracker functionality of Tuleap software engineering platform. A malicious user can inject arbitrary SQL commands to the application. The vulnerability lies in the project tracker service search functionality; depending on project visibility successful exploitation may or may not require user authentication. A successful attack can read, modify or delete data from the database or, depending on the privilege of the user (default: restricted) and the database engine in use (default: MySQL), execute arbitrary commands on the underlying system. [VULNERABLE VERSIONS] The following version of the Tuleap software was affected by the vulnerability; previous versions may be vulnerable as well: - Tuleap version 9.17.99.189 [TECHNICAL DETAILS] It is possible to reproduce the vulnerability following these steps: 1. Open the tracker service in a publicly visible project 2. Leave all the fields empty and submit the search form while logging the request with the help of an application proxy like Burp or ZAP 3. Copy the previous request and edit the "criteria[499][values][]" field in the request body with the "(select(0)from(select(sleep(3)))a)/**/" payload 4. Send the request to the application 5. Application will respond with a three second delay Below a full transcript of the HTTP request used to raise the vulnerability and also a cURL one liner to highlight the induced delay in the application response. HTTP Request
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment