Devome GRR SQL Injection Vulnerability in Session Management

In Devome GRR version 4.5.0, multiple authenticated SQL injection vulnerabilities were identified in the session management file 'include/session.inc.php'. The vulnerabilities arise from unsanitized user input in the HTTP referer and user-agent headers, which are logged into the application's database. This injection can be exploited by authenticated users to manipulate SQL queries, potentially leading to unauthorized data access or modification.

Impact

Exploitation of this vulnerability allows authenticated users to inject malicious SQL into the application's database queries. This could be used to extract, modify, or delete database information, including sensitive data such as user credentials. In recent versions, password hashes are bcrypt-hashed, adding a layer of security, but the injection could still be exploited to access other sensitive information or disrupt application functionality.

Reproduction

To reproduce this vulnerability, log into the application as an authenticated user. Then, send a login request with a crafted referer that includes a SQL injection payload, such as one that uses a time-based blind injection technique. The injection point will be reached after authentication, and the response will indicate successful exploitation, such as a delay caused by the injected payload being executed on the database.

Remediation

Users are advised to update to Devome GRR version 4.5.0, where this vulnerability has been fixed.