CVE-2020-35382

Vulnerability

The vulnerability is a SQL injection in the user import functionality of Classroombookings before version 2.4.1 [1]. When an administrator adds a new user by importing a CSV file, the username field is not sanitized, allowing injection of SQL commands. The affected version is indicated as 2.2.0 in the advisory, and the fix is in 2.4.1 [1]. The attacker must have administrator access to the application [1].

Exploitation

An administrator logs in and navigates to the user import page [1]. They upload a CSV file where the username field contains a crafted SQL injection payload, such as a UNION-based injection with an INTO OUTFILE clause to write a file to the web server [1]. The POST request is sent to /hcms/index.php/users/import with the CSV file as multipart form data [1]. The example payload writes a PHP web shell to the server's web directory [1].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL statements, potentially leading to reading, modifying, or deleting database records [1]. In the provided example, the attacker uses the injection to write a PHP file to the web server, resulting in remote code execution if the MySQL user has FILE privileges and the web directory is writable [1]. This can lead to full compromise of the web application and server [1].

Mitigation

The vulnerability is fixed in Classroombookbooks version 2.4.1 [1]. The fix likely involves proper sanitization of the username field during CSV import. Administrators should upgrade to version 2.4.1 or later immediately [1]. If upgrading is not possible, restrict access to the user import functionality to only trusted administrators and ensure the MySQL database user does not have FILE privilege [1].