OCS Inventory: OCSReports

SQL injection in OCSReports

Bug #884273 reported by Emmanuel Bouillon on 2011-10-31

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OCS Inventory: OCSReports	Fix Released	Critical	Erwan

Bug Description

Dear all,

- I'd like to bring to your attention that OCSReports is prone to an SQL Injection vulnerability.

- The vulnerability was found and tested on the Virtual Machine OCS-NG-Server-2.0.2-Ubuntu-11.04-32

- Proof of Concept:
   * Once authenticated, go to Config>Blacklist (url: https://x.x.x.x/ocsreports/index.php?function=admin_black)
   * Choose any tab (MAC address, Serial number, ...)
   * E.g in MAC address tab, restrict view according MACADDRESS field
   * try 1' or 1=1 -- (don't forget the last space character)
   * try 1' UNION all SELECT 1,CONCAT(user,0x3a,password) from mysql.user -- (don't forget the last space character)
   * etc.

- I would be obliged if you could confirm the problem and if so, I would appreciate being kept abreast of any workaround or fix (early access to a patch would be greatly appreciated). I would also be interested in knowing how, if at all, you intend to coordinate public disclosure (and claim for any CVE number).

Thanks for this product and your work.

Best regards,
Emmanuel Bouillon

Revision history for this message

Emmanuel Bouillon (lebouille71) wrote on 2011-10-31:

Screenshot-OCS Inventory - Mozilla Firefox.png Edit (161.3 KiB, image/png)

Revision history for this message

Emmanuel Bouillon (lebouille71) wrote on 2011-10-31:

Demo site (http://www.ocsinventory-ng.org/fr/demo/) looks vulnerable.

Erwan (airoine) on 2011-11-01

Changed in ocsinventory-ocsreports:
status:	New → Confirmed
importance:	Undecided → Critical
assignee:	nobody → Erwan (airoine)

Revision history for this message

Erwan (airoine) wrote on 2011-11-03:

can you valid the fix?
http://bazaar.launchpad.net/~ocsinventory-core/ocsinventory-ocsreports/stable-2.0/revision/798

best regards

Changed in ocsinventory-ocsreports:
status:	Confirmed → Fix Committed

Revision history for this message

Emmanuel Bouillon (lebouille71) wrote on 2011-11-03: Re: [Bug 884273] Re: SQL injection in OCSReports

Hi,

Regarding the patch I have an issue.
Is the "added" versus "Removed" reversed?
For instance, the 4 lines to be added are already in the original
ms_blacklist.php.

I am missing something? Could you just attach the new ms_blacklist.php?

Thanks,
Kind regards,
Emmanuel

On Thu, 2011-11-03 at 11:58 +0000, Erwan wrote:
> hi
>
> can you valid the fix?
> http://bazaar.launchpad.net/~ocsinventory-core/ocsinventory-ocsreports/stable-2.0/revision/798
>
> best regards
>
> ** Changed in: ocsinventory-ocsreports
> Status: Confirmed => Fix Committed
>

Revision history for this message

Erwan (airoine) wrote on 2011-11-03:

the new ms_blacklist.php: http://bazaar.launchpad.net/~ocsinventory-core/ocsinventory-ocsreports/stable-2.0/view/head:/plugins/main_sections/ms_config/ms_blacklist.php

Revision history for this message

Emmanuel Bouillon (lebouille71) wrote on 2011-11-03:

Hi,
I confirm it solves the reported SQLi issue.
Thanks,
Please keep me abreast of the disclosure process.
Best regards.
Emmanuel

Revision history for this message

Emmanuel Bouillon (lebouille71) wrote on 2011-12-23:

On Thu, 2011-11-03 at 12:57 +0000, Erwan wrote:
> the new ms_blacklist.php: http://bazaar.launchpad.net/~ocsinventory-core
> /ocsinventory-
> ocsreports/stable-2.0/view/head:/plugins/main_sections/ms_config/ms_blacklist.php
>

Dear all,
Have you requested a CVE number for this vulnerability to
<email address hidden> ? If so, please mention my employer in the Credit:
Emmanuel Bouillon from NATO C3 Agency.
Kind regards,
Emmanuel

Revision history for this message

Erwan (airoine) wrote on 2011-12-24:

Hi Emmanuel.

We didn't open a CVE. You find this security bug, you can open it if you want. I have just change the status private to public. You can add link in the CVE.

Thank a lot for your help (and your employer).

best regard

Erwan

visibility:

private → public

Arthur Jaouen (arthur-z) on 2014-05-23