{"id":16687,"date":"2021-07-07T16:20:55","date_gmt":"2021-07-07T14:20:55","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2020-0034\/"},"modified":"2021-07-19T14:15:54","modified_gmt":"2021-07-19T12:15:54","slug":"usd-2020-0034","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2020-0034\/","title":{"rendered":"usd-2020-0034"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n

usd-2020-0034 | Gambio GX 4.0.0.0<\/span><\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2020-0034<\/span>
CVE Number<\/strong>: CVE-2020-10983<\/span>
Affected Product<\/strong>: Gambio GX<\/span>
Affected Version<\/strong>: 4.0.0.0<\/span>
Vulnerability Type<\/strong>: Blind SQL Injection<\/span>
Security Risk<\/strong>: Medium<\/span>
Vendor URL<\/strong>: https:\/\/www.gambio.de\/<\/a><\/span>
Vendor Status<\/strong>: Fixed in 4.0.1.0 (according to vendor)<\/span><\/p>\n

<\/h3>\n

Description<\/h3>\n

The web shop application \u201eGambio GX\u201c contains a blind SQL injection vulnerability in the admin area. The vulnerability allows an authenticated attacker with administrative privileges to leak database contents.<\/span><\/p>\n

<\/span><\/p>\n

Introduction<\/h3>\n

The application gambio has a blind SQL injection vulnerability in the admin area. The file <\/span>\/admin\/mobile.php<\/em> between line 75 and 94 contains the vulnerable code. The POST argument <\/span>$order_id<\/em>\u00a0is passed to the application and is concatenated with the SQL query. An attacker could exploit this to manipulate the database query.<\/span><\/p>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200034-1.png\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"usd20200034-1\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n

Proof of Concept (PoC)<\/span><\/h3>\n
\n

The following request can be send to the web application. This request would cause the server to respond after 20 seconds.<\/p>\n<\/div>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200034-2.png\" title_text=\"usd20200034-2\" _builder_version=\"4.9.4\" _module_preset=\"default\" custom_margin=\"27px||43px||false|false\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n

\n
\n

Fix<\/h3>\n

Most instances of SQL injection can be prevented by using parameterized queries (also known as prepared statements) instead of string concatenation within the query.<\/span><\/p>\n

<\/h3>\n

Timeline<\/h3>\n