Researchers at security firm Rapid7 have publicly disclosed a SQL injection vulnerability affecting the financial platform SmartVista after they couldn’t raise a response from the vendor.
SmartVista is a suite of payment infrastructure and management systems created by BPC Group.
SmartVista is a financial product from BPC Banking, Rapid7 experts analyzed it and reported the flaws to the vendor back in May 2017.
The US CERT Coordination Centre and SwissCERT published an alert after the public disclosure of the flaw.
Even if the vulnerability can be triggered only by a user authenticated to the front end (SmartVista’s transactions), the attacker can pass access sensitive data.
“Today we are announcing a SQL injection vulnerability discovered in BPC’s SmartVista, a suite of products related to e-commerce and other financial transaction operations.” reads the analysis published by” Rapid7. Exploiting this vulnerability requires authenticated access to the Transactions portion of SmartVista Front-End. A successful exploitation can yield sensitive data, including usernames and passwords of the database backend. This vulnerability is characterized as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).”.
Users authenticated to the platform with access to the Transactions interface are provided with three input fields:
Rapid7 experts discovered that the front end lack of input validation, it doesn’t sanitize the card number or account number input fields used in the transaction module.
The Card Number field only accepts the exact card number to provide output. The researchers noticed that without knowing a card number beforehand, an attacker can launch a Boolean-based SQL injection through this field.
However, the database responded with a five second delay when Boolean true statements (such as ‘ or ‘1’=’1) were provided, resulting in a time-based SQL injection vector.
An attacker can use this trick to brute-force query the database, allowing information from accessible tables to be exposed.
An attacker adept at scripting could go a long way, the post explains:
“to access usernames and encrypted passwords in the DBA_USERS table of database SYS (Oracle specific), one could craft a series of database queries to ask true/false statements such as “Does the first character, of the first row, in the user’s column start with ‘a’?” On a true response, the transaction values would be returned, indicating that the first character does indeed start with ‘a’. On a false reply, no data would be returned, and the automated system could move on to the next character. This could continue until the full username has been discovered, as well as the password.” continues the analysis.
Rapid7 suggests companies using the SmartVista to press BPC Banking to issue a security update, meantime the adoption of a Web Application Firewalls (WAF) could help to protect the platform from SQL injection attacks.
(Security Affairs – SmartVista, SQL Injection)