CVE-2021-44567

Vulnerability

The vulnerability is an unauthenticated SQL injection in RosarioSIS versions before 7.6.1. It resides in the PortalPollsVote() function within ProgramFunctions/PortalPollsNotes.fnc.php. The function directly concatenates the $poll_id parameter into an SQL query without sanitization. Although RosarioSIS sanitizes $_REQUEST values via DBEscapeString, it does not sanitize $_GET and $_POST arrays directly, and the array_rwalk function only sanitizes values, not keys. The votes parameter in $_POST is used as an array where keys become $poll_id, leading to injection via unsanitized keys. [2]

Exploitation

An unauthenticated attacker can send a crafted HTTP POST request to the vulnerable endpoint. The request must include a votes array parameter with a malicious key containing SQL injection payload. The attacker does not need any authentication or special privileges. The injection occurs when the key is directly inserted into the query string. [2]

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands on the database. This can lead to unauthorized access, data exfiltration, modification, or deletion of database contents. The attacker gains the ability to read sensitive information, potentially including user credentials and other confidential data. [2]

Mitigation

The issue is fixed in RosarioSIS version 7.6.1, released on or before February 22, 2022. The fix involved moving the poll vote code to use sanitized $_REQUEST instead of $_POST and adding sanitization of array keys in the array_rwalk function. [3][4] Users should upgrade to version 7.6.1 or later. No workarounds are documented; upgrading is the recommended action.