Case #8: SQL injection vulnerable for 10 years

A company offering an online project and customer relationship management system had a very easy-to-spot SQL injection vulnerability for 10 years or more.

Published: Mon, October 2, 2017, 06:55
Updated: Mon, October 2, 2017, 09:05
Category:
Security
Tags:
Security Monday
Information leak
XSS
ASP.NET
Microsoft SQL Server
Data alteration
OWASP 2013 A1
OWASP 2013 A3

tl;dr 🔗

A Norwegian company with a centralized online project management tool had an SQL injection vulnerability for at least 10 years.

Summary 🔗

Who: Anonymous, let's call them Acme3
Severity level: Critical
Reported: Summer 2017 (and possibly 2007)
Reception and handling: Poor
Status: Who knows..
Reward: A thank you
Issue: SQL injection affecting all customers

Background 🔗

In 2007 I was working for a company that started using a SaaS project tool and, more or less, a complete CRM. As a software developer I personally used it for time-tracking for the projects and customers I was working with.

It was a very poor tool for time-tracking (as most time-tracking tools are even today), but that was soon to be overshadowed when I noticed that the URLs contained SQL. Not only did the service leak data, it was possible to alter data. Not only was this possible within our own company, but this was across all of the service's customers.

I of course told about this to my boss. To emphasize the problem I changed my boss' name to be surrounded by the infamous <blink/> tag to make it constantly blink while he was logged in.

I also prepared an article for the great "software engineering disaster blog" The Daily WTF which I read daily back then. However, I changed jobs in 2007 and soon forgot all about the article, the security hole and Acme3.

Preparing my blog I looked back at some old issues I had screenshot and made notes from and of course found this one. Checking out their online demo I saw that they still had the SQL injection issue. 10 years later. Seeing the old screenshots that says "Copyright 2000" one can wonder how many their customers who have been affected by this.

Approach (technical stuff) 🔗

You don't need very heavy measures to find any issues when you find out that the URLs of a site actually uses SQL. The URLs were "concealed" because of the site using frames. I had a look at their JavaScript and noticed that it built SQL queries which was used as URL parameters.

The URLs looked like this:

http://example.com/lookup.asp
?title=Employees&list=0&headers=Employee+Id;First+name;Last+name
&select=SELECT+EMPLOYEE_ID,FIRST_NAME,LAST_NAME+FROM+EMPLOYEES
&goURL=someother.asp&key=EmployeeID&projID=&where=&order=3&records=all

It can't really get much worse than this.

So from here one could change the query to e.g. include the password. It's hard to believe, but it does actually look like they have some salt in the password hashes. But that doesn't matter much as it was possible to run UPDATE statements using the URL.

My favorite changes I did was in the line of these:

http://example.com/lookup.asp?headers=version
&select=UPDATE+EMPLOYEES+SET+FIRST_NAME='<blink>John+Boss</blink>'
+WHERE+USER_ID='myboss';SELECT+@@VERSION,@@VERSION+AS+ver&order=ver
http://example.com/lookup.asp?headers=version
&select=UPDATE+EMPLOYEES+SET+FIRST_NAME='John+"I+better+report+these+security+issues+to+Acme3+soon"+Boss'
+WHERE+USER_ID='myboss';SELECT+@@VERSION,@@VERSION+AS+ver&order=ver

But what was even more worrying was that each company had a different database in the same database server, and it was possible to do queries across databases. I never tried altering data for other companies, but gaining read access is bad enough. The database user seemed to have access to all kinds of databases and system tables.

Security issues 🔗

Depending on how a company was using the service it was possible for anyone to get access to the following information:

  • Employees' names, usernames, position, password hashes, addresses, phone numbers, e-mail addresses, pictures, payrolls
  • All kinds of info about companies' projects
  • Customers of the company
  • Outoing invoices
  • Budgets
  • Accounting
  • Timesheets
  • And everything else you would expect from a borderline project tool/CRM

From the look of it was possible to alter any data as well.

Reception and handling 🔗

Day zero 2017 🔗

The company was non-existing in social media etc. I never managed to find any e-mail addresses. But they had a contact form on their website which I used to tell them about this. The only problem was that the form doesn't work at all in some browsers and doesn't give any feedback if it's been successfully submitted in the rest of the browsers.

I got no response.

Day 14ish 🔗

I tried the contact form once again just asking if the form was working at all. I never got an answer.

Day 21ish 🔗

Suddenly one night there was someone online on a chat on their site. I filled in my name and asked if the contact form on their site worked. The guy just replied "We saw your "security" report". What? Why haven't they contacted me? He went on telling that the issue is fixed now. They "had a round of security this summer". Then he told me to say if I saw anything else, gave me a short "thank you" and finished "night".

I'm not sure if the conversation was directly unfriendly, but it sure wasn't friendly. And it makes me think that this isn't serious people. Though, at least now I knew the issue was reported and they claimed to have fixed it. I don't want to check.

Anonymous you say? 🔗

This is a bit of a special case going back so many years. Did they receive any reports 10 years ago at all? It would be easier to name them if I was able to communicate with them. The not-so-friendly support chat gave me some bad vibes, and I haven't been able to find out much about the company or the people behind it.

From public financial information I see that they have had 1-2 million USD in annual revenue the last 10 years. As far as I can understand they don't have any other products, so they should have quite a few customers using this service.

Conclusion 🔗

From time to time there are news articles about industrial espionage. Companies like Acme3 sure makes it easy to those looking for data.

Are you working in one of the companies using this system? Maybe you should use an expert to take a quick look at the systems where your company stores information you don't want to be leaked or even altered.

Is it possible that an issue like this was existing for ten years without no one taking advantage of it? That's hard to believe.

Get notified when there are new posts! :-)