usd-2022-0064 | FileRun 20220519 - SQL Injection

Advisory ID: usd-2022-0064
Product: FileRun
Affected Version: 20220519
Vulnerability Type: SQL Injection (CWE-89)
Security Risk: Medium
Vendor URL: https://filerun.com
CVE number: CVE-2022-47532
CVE Link: pending

Description

The dir parameter in FileRun is vulnerable to SQL-Injection.

Proof of Concept

The following original request was issued:

POST /?module=users&section=cpanel&page=list HTTP/1.1
Host: localhost
Content-Length: 46
Cookie: FileRunSID=851650212253d5b5fe859fc3197d456f
Connection: close
[...]sort=username&dir=ASC&remoteSort=true&limit=50

Adding a simple ' to the parameter results in an Internal Server Error.
The query is shown below:

SELECT SQL_CALC_FOUND_ROWS USR.*, (PERM.admin_type != '' OR R.admin_type !='' OR USR.id = 1) AS admin_type FROM df_users AS USR LEFT JOIN df_users_permissions AS PERM ON USR.id=PERM.uid LEFT JOIN df_modules_user_roles AS R ON PERM.role = R.id WHERE ((USR.id = PERM.uid)AND(((PERM.role = 0) OR (PERM.role IS NULL))OR(((PERM.role != 0) AND (PERM.role IS NOT NULL)) AND (PERM.role = R.id)))) ORDER BY username ASC' LIMIT 0, 50

Fix

The use of prepared statements is recommended.

References

• https://owasp.org/www-community/attacks/SQL_Injection

Timeline

• 2022-12-16: First contact request via mail
• 2022-12-16: Vulnerability details shared with vendor
• 2023-03-08: Ask vendor for patch status
• 2023-04-20: Ask vendor for patch status
• 2023-07-09: Vendor reports, that vulnerability is patched in 2023.1.0
• 2023-12-21: Publish advisory

Credits

This security vulnerability was identified by Christian Pöschl of usd AG.