huntr.dev Open in urlscan Pro
2600:9000:223d:b800:14:bb32:5f00:93a1  Public Scan

URL: https://huntr.dev/bounties/4ab24ee2-3ff6-4248-9555-0af3e5f754ec/
Submission: On February 08 via api from US — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

huntr
Open menu
/
Bounties 37 Community More

Responsible disclosure policy

FAQ

Contact us

Hacktivity

Leaderboard

Submit report Login

Logout

huntr
Close menu
/

--------------------------------------------------------------------------------

Bounties
Find your next target
Submission
Submit a report
Hacktivity
Browse public reports
Leaderboard
Our leaderboard

--------------------------------------------------------------------------------

Policy FAQ Contact us
Login


SQL DATABASE ERROR COULD LEAD TO SQL INJECTION WITH INTERNAL PATH DISCLOSURE IN
FROXLOR/FROXLOR

0

Valid

Reported on

Jan 27th 2023

--------------------------------------------------------------------------------

Hello,

Through manipulating Parameter i get an SQL Error which can lead to SQL
Injection. Plus that there is an internal Path Disclosure.

Best regards Ahmed Hassan


IMPACT

Hello,

Through manipulating Parameter i get an SQL Error which can lead to SQL
Injection. Plus that there is an internal Path Disclosure.

Best regards Ahmed Hassan


REFERENCES

 * SQL Database Error could lead to SQL Injection with internal Path Disclosure

We are processing your report and will contact the froxlor team within 24 hours.
11 days ago
Michael Kaufmann Michael
commented 11 days ago

Maintainer

--------------------------------------------------------------------------------

Can you please explain where an actual SQL Injection is possible? All i see is a
failed prepared SQL query

ahmedvienna
commented 11 days ago

Researcher

--------------------------------------------------------------------------------

As i mentioned it is possible to find a SQL Injection Vulnerability but i did
not mention that i find a SQL Injection Vulnerability.

Due to this Error the attacker can try different Syntax to identify the columns
and number, names of the tables used.

Moreover failing to use a prepared statement/query can be a big issue for a SQL
Injection Vulnerability due to no prepared statements given from the Devekoper
and the Code will run in the Database and interpreted as Code.

Plus that you can see the Error Message coming out at the End of the Video. This
should also be not visible for normal Users.

Michael Kaufmann Michael
commented 11 days ago

Maintainer

--------------------------------------------------------------------------------

You've specified this report type to be CWE-89: SQL Injection - which is just
untrue. Froxlor uses prepared statements throughout the system.

The uncaught exception has been fixed. Also keep in mind that our demo has
special adjustments and might not always reflect 100% the same as the current
release.

ahmedvienna
commented 11 days ago

Researcher

--------------------------------------------------------------------------------

Thats good to know so you patched the uncaught Error which was the main problem
and security Issue with the internal Path Disclosure.

I will be happy if you can verify the security issue as you have patched the
uncaught exception as mentioned before.

ahmedvienna modified the report
11 days ago
ahmedvienna
commented 11 days ago

Researcher

--------------------------------------------------------------------------------

The Vulnerability Report Title was changed as its is not a SQL Injection
Vulnerability.

ahmedvienna modified the report
11 days ago
Michael Kaufmann validated this vulnerability 11 days ago

Agreed on the "internal path disclosure", the title is now a bit misleading
though

ahmedvienna has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
ahmedvienna
commented 11 days ago

Researcher

--------------------------------------------------------------------------------

Can you please assign it a CVE

Michael Kaufmann marked this as fixed in 2.0.10 with commit 7b08a7 11 days ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Jan 29th 2023
Michael Kaufmann published this vulnerability 10 days ago
ahmedvienna
commented 10 days ago

Researcher

--------------------------------------------------------------------------------

Hello. The CVE for this Vulnerability hast Not Bern published. When will you
publish IT ?

Michael Kaufmann Michael
commented 10 days ago

Maintainer

--------------------------------------------------------------------------------

It's literally a note above your comment, it is scheduled to go public on Jan
29th...why so impatient? Gotta give users time to update before this report
shows exactly how to the exploit works

Sign in to join this conversation
CVE

CVE-2023-0572 (published)
Vulnerability Type
CWE-391: Unchecked Error Condition
Severity
Medium (5.3)
Attack vector Network
Attack complexity Low
Privileged required None
User interaction None
Scope Unchanged
Confidentiality Low
Integrity None
Availability None
Open in visual CVSS calculator
Registry
Other
Affected Version


Release 2.0

Visibility
Public
Status
Fixed

Found by

ahmedvienna
@ahmedvienna
pro

This report was seen 422 times.
We are processing your report and will contact the froxlor team within 24 hours.
11 days ago
Michael Kaufmann Michael
commented 11 days ago

Maintainer

--------------------------------------------------------------------------------

Can you please explain where an actual SQL Injection is possible? All i see is a
failed prepared SQL query

ahmedvienna
commented 11 days ago

Researcher

--------------------------------------------------------------------------------

As i mentioned it is possible to find a SQL Injection Vulnerability but i did
not mention that i find a SQL Injection Vulnerability.

Due to this Error the attacker can try different Syntax to identify the columns
and number, names of the tables used.

Moreover failing to use a prepared statement/query can be a big issue for a SQL
Injection Vulnerability due to no prepared statements given from the Devekoper
and the Code will run in the Database and interpreted as Code.

Plus that you can see the Error Message coming out at the End of the Video. This
should also be not visible for normal Users.

Michael Kaufmann Michael
commented 11 days ago

Maintainer

--------------------------------------------------------------------------------

You've specified this report type to be CWE-89: SQL Injection - which is just
untrue. Froxlor uses prepared statements throughout the system.

The uncaught exception has been fixed. Also keep in mind that our demo has
special adjustments and might not always reflect 100% the same as the current
release.

ahmedvienna
commented 11 days ago

Researcher

--------------------------------------------------------------------------------

Thats good to know so you patched the uncaught Error which was the main problem
and security Issue with the internal Path Disclosure.

I will be happy if you can verify the security issue as you have patched the
uncaught exception as mentioned before.

ahmedvienna modified the report
11 days ago
ahmedvienna
commented 11 days ago

Researcher

--------------------------------------------------------------------------------

The Vulnerability Report Title was changed as its is not a SQL Injection
Vulnerability.

ahmedvienna modified the report
11 days ago
Michael Kaufmann validated this vulnerability 11 days ago

Agreed on the "internal path disclosure", the title is now a bit misleading
though

ahmedvienna has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
ahmedvienna
commented 11 days ago

Researcher

--------------------------------------------------------------------------------

Can you please assign it a CVE

Michael Kaufmann marked this as fixed in 2.0.10 with commit 7b08a7 11 days ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Jan 29th 2023
Michael Kaufmann published this vulnerability 10 days ago
ahmedvienna
commented 10 days ago

Researcher

--------------------------------------------------------------------------------

Hello. The CVE for this Vulnerability hast Not Bern published. When will you
publish IT ?

Michael Kaufmann Michael
commented 10 days ago

Maintainer

--------------------------------------------------------------------------------

It's literally a note above your comment, it is scheduled to go public on Jan
29th...why so impatient? Gotta give users time to update before this report
shows exactly how to the exploit works

Sign in to join this conversation

2022 © 418sec




HUNTR

 * home
 * hacktivity
 * leaderboard
 * FAQ
 * contact us
 * terms
 * privacy policy


PART OF 418SEC

 * company
 * about
 * team



Chat with us