{"id":16685,"date":"2021-07-07T16:23:45","date_gmt":"2021-07-07T14:23:45","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2020-0033\/"},"modified":"2021-07-19T14:15:46","modified_gmt":"2021-07-19T12:15:46","slug":"usd-2020-0033","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2020-0033\/","title":{"rendered":"usd-2020-0033"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n

usd-2020-0033 | Gambio GX 4.0.0.0<\/span><\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2020-0033<\/span>
CVE Number<\/strong>: CVE-2020-10982<\/span>
Affected Product<\/strong>: Gambio GX<\/span>
Affected Version<\/strong>: 4.0.0.0<\/span>
Vulnerability Type<\/strong>: Blind SQL Injection<\/span>
Security Risk<\/strong>: Medium<\/span>
Vendor URL<\/strong>: https:\/\/www.gambio.de\/<\/a><\/span>
Vendor Status<\/strong>: Fixed in 4.0.1.0 (according to vendor)<\/span><\/p>\n

<\/h3>\n

Description<\/h3>\n

The web shop application \u201eGambio GX\u201c contains a blind SQL injection vulnerability in the admin area. The vulnerability allows an authenticated attacker with administrative privileges to leak database contents.<\/span><\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

The application gambio has a blind SQL injection vulnerability in the admin area. The file <\/span>admin\/gv_mail.php<\/em> between line 361 and 365 contains the vulnerable code. The GET argument <\/span>cID<\/em>\u00a0is passed to the application and is concatenated with the SQL query. An attacker could exploit this to manipulate the database query.<\/span><\/p>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200033-1.png\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"usd20200033-1\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n

The following request can be send to the web application. This request would cause the server to respond only after 15 seconds:<\/span><\/p>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200033-2.png\" title_text=\"usd20200033-2\" _builder_version=\"4.9.4\" _module_preset=\"default\" custom_margin=\"27px||43px||false|false\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n

\n
\n

Fix<\/h3>\n

Most instances of SQL injection can be prevented by using parameterized queries (also known as prepared statements) instead of string concatenation within the query.<\/span><\/p>\n

<\/h3>\n

References<\/h3>\n

https:\/\/owasp.org\/www-community\/attacks\/SQL_Injection<\/a><\/p>\n

<\/h3>\n

Timeline<\/h3>\n