Bagisto Forum

    Bagisto
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups

    Blind Time Based SQL Injection in “Categories” feature via “color” parameter when filtering products

    Bug Report
    2
    5
    1350
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      Keerthi last edited by Keerthi

      Hi,

      The list of products is displayed to
      the user under categories page. In this feature, there is a filter option where
      user can filter products by color and price. When a filter is applied, a GET request is made with color
      and price parameters. The value provided to color parameter is being used on the server-side to dynamically build and
      execute SQL query because of which the application is vulnerable to SQL Injection. By sending a crafted
      payload as a value of color parameter, we are able to control the SQL queries being executed on the
      database and extract data from the database. The application doesn’t return the result of a SQL query to the user or print verbose errors, so the SQL Injection in this case is considered “blind” where we cannot see the server output so we used time-difference in the server responses to enumerate data.

      As this was a vulnerability assessment, we stopped after detecting and confirming this vulnerability. A
      malicious user may craft additional payloads that could be used to access and extract arbitrary data
      from the backend database.

      Steps to reproduce:
      Navigate to a collection at https://www.mysite.com/categories/category_name
      2. Click on “FILTER” and choose a colour. intercept the GET request made by the application using
      interception proxy like Burp Suite
      3. Change the color parameter value from to (select*from(select(sleep(15)))a) and
      forward the request
      4. The application will take longer than 15 seconds to send the response which indicates that the
      payload we have used introduced a time delay

      We're currently using Bagisto 0.1.6 version. Please let us know if this issue has been fixed? If not so, can you guys please suggest us how to fix this issue.

      Thank You.

      1 Reply Last reply Reply Quote 0
      • R
        rahul last edited by rahul

        Hi @Keerthi

        We are checking and will update it.

        1 Reply Last reply Reply Quote 0
        • K
          Keerthi last edited by

          Hi @rahul,

          Thank you and I am waiting for reply.

          1 Reply Last reply Reply Quote 0
          • R
            rahul last edited by

            Hi @Keerthi

            This issue has been fixed, kindly take pull from master branch.

            Thanks

            1 Reply Last reply Reply Quote 0
            • K
              Keerthi last edited by

              Hi,

              Thank you so much for fixing the bug and I really appreciate entire bagisto team such a wonderful support. Once again thank you so much ☺

              1 Reply Last reply Reply Quote 0
              • First post
                Last post