huntr.dev
Open in
urlscan Pro
2600:9000:223d:b800:14:bb32:5f00:93a1
Public Scan
URL:
https://huntr.dev/bounties/4ab24ee2-3ff6-4248-9555-0af3e5f754ec/
Submission: On February 08 via api from US — Scanned from DE
Submission: On February 08 via api from US — Scanned from DE
Form analysis
0 forms found in the DOMText Content
huntr Open menu / Bounties 37 Community More Responsible disclosure policy FAQ Contact us Hacktivity Leaderboard Submit report Login Logout huntr Close menu / -------------------------------------------------------------------------------- Bounties Find your next target Submission Submit a report Hacktivity Browse public reports Leaderboard Our leaderboard -------------------------------------------------------------------------------- Policy FAQ Contact us Login SQL DATABASE ERROR COULD LEAD TO SQL INJECTION WITH INTERNAL PATH DISCLOSURE IN FROXLOR/FROXLOR 0 Valid Reported on Jan 27th 2023 -------------------------------------------------------------------------------- Hello, Through manipulating Parameter i get an SQL Error which can lead to SQL Injection. Plus that there is an internal Path Disclosure. Best regards Ahmed Hassan IMPACT Hello, Through manipulating Parameter i get an SQL Error which can lead to SQL Injection. Plus that there is an internal Path Disclosure. Best regards Ahmed Hassan REFERENCES * SQL Database Error could lead to SQL Injection with internal Path Disclosure We are processing your report and will contact the froxlor team within 24 hours. 11 days ago Michael Kaufmann Michael commented 11 days ago Maintainer -------------------------------------------------------------------------------- Can you please explain where an actual SQL Injection is possible? All i see is a failed prepared SQL query ahmedvienna commented 11 days ago Researcher -------------------------------------------------------------------------------- As i mentioned it is possible to find a SQL Injection Vulnerability but i did not mention that i find a SQL Injection Vulnerability. Due to this Error the attacker can try different Syntax to identify the columns and number, names of the tables used. Moreover failing to use a prepared statement/query can be a big issue for a SQL Injection Vulnerability due to no prepared statements given from the Devekoper and the Code will run in the Database and interpreted as Code. Plus that you can see the Error Message coming out at the End of the Video. This should also be not visible for normal Users. Michael Kaufmann Michael commented 11 days ago Maintainer -------------------------------------------------------------------------------- You've specified this report type to be CWE-89: SQL Injection - which is just untrue. Froxlor uses prepared statements throughout the system. The uncaught exception has been fixed. Also keep in mind that our demo has special adjustments and might not always reflect 100% the same as the current release. ahmedvienna commented 11 days ago Researcher -------------------------------------------------------------------------------- Thats good to know so you patched the uncaught Error which was the main problem and security Issue with the internal Path Disclosure. I will be happy if you can verify the security issue as you have patched the uncaught exception as mentioned before. ahmedvienna modified the report 11 days ago ahmedvienna commented 11 days ago Researcher -------------------------------------------------------------------------------- The Vulnerability Report Title was changed as its is not a SQL Injection Vulnerability. ahmedvienna modified the report 11 days ago Michael Kaufmann validated this vulnerability 11 days ago Agreed on the "internal path disclosure", the title is now a bit misleading though ahmedvienna has been awarded the disclosure bounty The fix bounty is now up for grabs The researcher's credibility has increased: +7 ahmedvienna commented 11 days ago Researcher -------------------------------------------------------------------------------- Can you please assign it a CVE Michael Kaufmann marked this as fixed in 2.0.10 with commit 7b08a7 11 days ago The fix bounty has been dropped This vulnerability has been assigned a CVE This vulnerability is scheduled to go public on Jan 29th 2023 Michael Kaufmann published this vulnerability 10 days ago ahmedvienna commented 10 days ago Researcher -------------------------------------------------------------------------------- Hello. The CVE for this Vulnerability hast Not Bern published. When will you publish IT ? Michael Kaufmann Michael commented 10 days ago Maintainer -------------------------------------------------------------------------------- It's literally a note above your comment, it is scheduled to go public on Jan 29th...why so impatient? Gotta give users time to update before this report shows exactly how to the exploit works Sign in to join this conversation CVE CVE-2023-0572 (published) Vulnerability Type CWE-391: Unchecked Error Condition Severity Medium (5.3) Attack vector Network Attack complexity Low Privileged required None User interaction None Scope Unchanged Confidentiality Low Integrity None Availability None Open in visual CVSS calculator Registry Other Affected Version Release 2.0 Visibility Public Status Fixed Found by ahmedvienna @ahmedvienna pro This report was seen 422 times. We are processing your report and will contact the froxlor team within 24 hours. 11 days ago Michael Kaufmann Michael commented 11 days ago Maintainer -------------------------------------------------------------------------------- Can you please explain where an actual SQL Injection is possible? All i see is a failed prepared SQL query ahmedvienna commented 11 days ago Researcher -------------------------------------------------------------------------------- As i mentioned it is possible to find a SQL Injection Vulnerability but i did not mention that i find a SQL Injection Vulnerability. Due to this Error the attacker can try different Syntax to identify the columns and number, names of the tables used. Moreover failing to use a prepared statement/query can be a big issue for a SQL Injection Vulnerability due to no prepared statements given from the Devekoper and the Code will run in the Database and interpreted as Code. Plus that you can see the Error Message coming out at the End of the Video. This should also be not visible for normal Users. Michael Kaufmann Michael commented 11 days ago Maintainer -------------------------------------------------------------------------------- You've specified this report type to be CWE-89: SQL Injection - which is just untrue. Froxlor uses prepared statements throughout the system. The uncaught exception has been fixed. Also keep in mind that our demo has special adjustments and might not always reflect 100% the same as the current release. ahmedvienna commented 11 days ago Researcher -------------------------------------------------------------------------------- Thats good to know so you patched the uncaught Error which was the main problem and security Issue with the internal Path Disclosure. I will be happy if you can verify the security issue as you have patched the uncaught exception as mentioned before. ahmedvienna modified the report 11 days ago ahmedvienna commented 11 days ago Researcher -------------------------------------------------------------------------------- The Vulnerability Report Title was changed as its is not a SQL Injection Vulnerability. ahmedvienna modified the report 11 days ago Michael Kaufmann validated this vulnerability 11 days ago Agreed on the "internal path disclosure", the title is now a bit misleading though ahmedvienna has been awarded the disclosure bounty The fix bounty is now up for grabs The researcher's credibility has increased: +7 ahmedvienna commented 11 days ago Researcher -------------------------------------------------------------------------------- Can you please assign it a CVE Michael Kaufmann marked this as fixed in 2.0.10 with commit 7b08a7 11 days ago The fix bounty has been dropped This vulnerability has been assigned a CVE This vulnerability is scheduled to go public on Jan 29th 2023 Michael Kaufmann published this vulnerability 10 days ago ahmedvienna commented 10 days ago Researcher -------------------------------------------------------------------------------- Hello. The CVE for this Vulnerability hast Not Bern published. When will you publish IT ? Michael Kaufmann Michael commented 10 days ago Maintainer -------------------------------------------------------------------------------- It's literally a note above your comment, it is scheduled to go public on Jan 29th...why so impatient? Gotta give users time to update before this report shows exactly how to the exploit works Sign in to join this conversation 2022 © 418sec HUNTR * home * hacktivity * leaderboard * FAQ * contact us * terms * privacy policy PART OF 418SEC * company * about * team Chat with us