← Advisories

OpenBMCS 2.4 Authenticated SQL Injection

High

Advisory ID

ZSL-2022-5692

Release Date

16 January 2022

Vendor

OPEN BMCS - https://www.openbmcs.com

Affected Version

2.4

CVE

N/A

Tested On

Linux Ubuntu 5.4.0-65-generic (x86_64), Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686), Apache/2.4.41 (Ubuntu), Apache/2.4.25 (Debian), nginx/1.16.1, PHP/7.4.3, PHP/7.0.33-0+deb9u9

Summary

Building Management & Controls System (BMCS). No matter what the size of your business, the OpenBMCS software has the ability to expand to hundreds of controllers. Our product can control and monitor anything from a garage door to a complete campus wide network, with everything you need on board.

Description

OpenBMCS suffers from an SQL Injection vulnerability. Input passed via the 'id' GET parameter is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Proof of Concept

openbmcs_sqli.txtTXT

Disclosure Timeline

26.10.2021Vulnerability discovered.

17.11.2021Vendor contacted.

15.01.2022No response from the vendor.

16.01.2022Public security advisory released.

Credits

Vulnerability discovered by Semen Rozhkov

References

[1]https://exchange.xforce.ibmcloud.com/vulnerabilities/217432

[2]https://www.exploit-db.com/exploits/50668

[3]https://packetstormsecurity.com/files/165581/OpenBMCS-2.4-SQL-Injection.html

Changelog

16.01.2022Initial release

20.01.2022Added reference [1], [2] and [3]