A company offering an online project and customer relationship management system had a very easy-to-spot SQL injection vulnerability for 10 years or more.
|Published:||Mon, October 2, 2017, 06:55|
|Updated:||Mon, October 2, 2017, 09:05|
Microsoft SQL Server
OWASP 2013 A1
OWASP 2013 A3
A Norwegian company with a centralized online project management tool had an SQL injection vulnerability for at least 10 years.
|Who:||Anonymous, let's call them Acme3|
|Reported:||Summer 2017 (and possibly 2007)|
|Reception and handling:||Poor|
|Reward:||A thank you|
|Issue:||SQL injection affecting all customers|
In 2007 I was working for a company that started using a SaaS project tool and, more or less, a complete CRM. As a software developer I personally used it for time-tracking for the projects and customers I was working with.
It was a very poor tool for time-tracking (as most time-tracking tools are even today), but that was soon to be overshadowed when I noticed that the URLs contained SQL. Not only did the service leak data, it was possible to alter data. Not only was this possible within our own company, but this was across all of the service's customers.
I of course told about this to my boss. To emphasize the problem I changed my boss' name to be surrounded by the infamous <blink/> tag to make it constantly blink while he was logged in.
I also prepared an article for the great "software engineering disaster blog" The Daily WTF which I read daily back then. However, I changed jobs in 2007 and soon forgot all about the article, the security hole and Acme3.
Preparing my blog I looked back at some old issues I had screenshot and made notes from and of course found this one. Checking out their online demo I saw that they still had the SQL injection issue. 10 years later. Seeing the old screenshots that says "Copyright 2000" one can wonder how many their customers who have been affected by this.
The URLs looked like this:
http://example.com/lookup.asp ?title=Employees&list=0&headers=Employee+Id;First+name;Last+name &select=SELECT+EMPLOYEE_ID,FIRST_NAME,LAST_NAME+FROM+EMPLOYEES &goURL=someother.asp&key=EmployeeID&projID=&where=&order=3&records=all
It can't really get much worse than this.
So from here one could change the query to e.g. include the password. It's hard to believe, but it does actually look like they have some salt in the password hashes. But that doesn't matter much as it was possible to run UPDATE statements using the URL.
My favorite changes I did was in the line of these:
http://example.com/lookup.asp?headers=version &select=UPDATE+EMPLOYEES+SET+FIRST_NAME='<blink></blink>' +WHERE+USER_ID='myboss';SELECT+@@VERSION,@@VERSION+AS+ver&order=ver
http://example.com/lookup.asp?headers=version &select=UPDATE+EMPLOYEES+SET+FIRST_NAME='John+"I+better+report+these+security+issues+to+Acme3+soon"+Boss' +WHERE+USER_ID='myboss';SELECT+@@VERSION,@@VERSION+AS+ver&order=ver
But what was even more worrying was that each company had a different database in the same database server, and it was possible to do queries across databases. I never tried altering data for other companies, but gaining read access is bad enough. The database user seemed to have access to all kinds of databases and system tables.
Depending on how a company was using the service it was possible for anyone to get access to the following information:
From the look of it was possible to alter any data as well.
The company was non-existing in social media etc. I never managed to find any e-mail addresses. But they had a contact form on their website which I used to tell them about this. The only problem was that the form doesn't work at all in some browsers and doesn't give any feedback if it's been successfully submitted in the rest of the browsers.
I got no response.
I tried the contact form once again just asking if the form was working at all. I never got an answer.
Suddenly one night there was someone online on a chat on their site. I filled in my name and asked if the contact form on their site worked. The guy just replied "We saw your "security" report". What? Why haven't they contacted me? He went on telling that the issue is fixed now. They "had a round of security this summer". Then he told me to say if I saw anything else, gave me a short "thank you" and finished "night".
I'm not sure if the conversation was directly unfriendly, but it sure wasn't friendly. And it makes me think that this isn't serious people. Though, at least now I knew the issue was reported and they claimed to have fixed it. I don't want to check.
This is a bit of a special case going back so many years. Did they receive any reports 10 years ago at all? It would be easier to name them if I was able to communicate with them. The not-so-friendly support chat gave me some bad vibes, and I haven't been able to find out much about the company or the people behind it.
From public financial information I see that they have had 1-2 million USD in annual revenue the last 10 years. As far as I can understand they don't have any other products, so they should have quite a few customers using this service.
From time to time there are news articles about industrial espionage. Companies like Acme3 sure makes it easy to those looking for data.
Are you working in one of the companies using this system? Maybe you should use an expert to take a quick look at the systems where your company stores information you don't want to be leaked or even altered.
Is it possible that an issue like this was existing for ten years without no one taking advantage of it? That's hard to believe.