Recent Topics

Blind Time Based SQL Injection in “Categories” feature via “color” parameter when filtering products



  • Hi,

    The list of products is displayed to
    the user under categories page. In this feature, there is a filter option where
    user can filter products by color and price. When a filter is applied, a GET request is made with color
    and price parameters. The value provided to color parameter is being used on the server-side to dynamically build and
    execute SQL query because of which the application is vulnerable to SQL Injection. By sending a crafted
    payload as a value of color parameter, we are able to control the SQL queries being executed on the
    database and extract data from the database. The application doesn’t return the result of a SQL query to the user or print verbose errors, so the SQL Injection in this case is considered “blind” where we cannot see the server output so we used time-difference in the server responses to enumerate data.

    As this was a vulnerability assessment, we stopped after detecting and confirming this vulnerability. A
    malicious user may craft additional payloads that could be used to access and extract arbitrary data
    from the backend database.

    Steps to reproduce:
    Navigate to a collection at https://www.mysite.com/categories/category_name
    2. Click on “FILTER” and choose a colour. intercept the GET request made by the application using
    interception proxy like Burp Suite
    3. Change the color parameter value from to (select*from(select(sleep(15)))a) and
    forward the request
    4. The application will take longer than 15 seconds to send the response which indicates that the
    payload we have used introduced a time delay

    We're currently using Bagisto 0.1.6 version. Please let us know if this issue has been fixed? If not so, can you guys please suggest us how to fix this issue.

    Thank You.



  • Hi @Keerthi

    We are checking and will update it.



  • Hi @rahul,

    Thank you and I am waiting for reply.



  • Hi @Keerthi

    This issue has been fixed, kindly take pull from master branch.

    Thanks



  • Hi,

    Thank you so much for fixing the bug and I really appreciate entire bagisto team such a wonderful support. Once again thank you so much ☺


Log in to reply