openSIS Student Information System 0-day Vulnerability (CVE-2021-41691)

openSIS Student Information System 0-day Vulnerability (CVE-2021-41691)

openSIS is one of several free and open-source student information systems available to K-12 and higher education institutions. The solution is a web-based application developed and maintained by Open Solutions for Education, Inc. (www.os4ed.com).

As a result of our researches, we detected SQL Injection vulnerabilities in OS4Ed Open Source Information System Community v8.0 via the "student_id" and "TRANSFER[SCHOOL]" parameters in POST request sent to /TransferredOutModal.php

How Did We Detect openSIS Student Information System SQL Injection Vulnerability?

As the Security For Everyone team, we regularly look for vulnerabilities in software we have chosen to find 0-days. One of the software we chose was the openSIS Student Information System web application, which serves education institutions. After deciding on the application that we are going to look for vulnerability, we performed the following steps in order:

  1. We decided to manually examine the source codes of the application downloaded from SourceForge after we saw that examining it with automatic source code analysis tools produced too many false positives.
  2. As a result of our static and dynamic analyses on the source code, we detected an SQL injection vulnerability in "student_id" and "TRANSFER[SCHOOL]" parameters sent to the TransferredOutModal.php page.
  3. We discovered that the vulnerability could be triggered when we sent the required SQL injection payload to this vulnerable parameter.
  4. Using the SQL injection vulnerability we detected, we could access all tables and data in the database.
  5. Finally, we applied to Mitre and got our CVE code.

What To Do?

After we detected the vulnerability, we sent two e-mails to the relevant company to discuss the vulnerability. However, although the software is kept up to date, we did not receive a response to these e-mails we sent to report the security vulnerability. If the software is updated in the future, it is highly recommended to make these updates for the security of your system.

Sources

  • http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41691
  • https://opensis.com/
  • https://www.exploit-db.com/exploits/50637
  • Share: