Well, hello Broccolitos!
This is my second article about a SLIMS vulnerability that I found in January 2025.
This vulnerability was found in /admin/modules/reporting/customs/visitor_report_day.php at the "month" parameter.
Like similar vulnerabilities, this issue arises due to improper input sanitization. This vulnerability can allow an attacker to gain sensitive information. However, it is only exploitable if the attacker has admin privileges.
Source code
You can see that before the vulnerability was patched, the month input was not sanitized.
After the patch, the developer modified the input handling by using an array list to define valid month values (01, 02, ..., 12) and added validation to ensure that the input is valid before processing it.
Step to reproduce:
- Intercept the request at vuln endpoint above in, Burp Suite and modify the "month" parameter.
(In this step, you can inject manualy with time-based blind sqli payload for extract the data, or you can use sqlmap to get simples way. (I preffered to use sqlmap for automation).
- Save the http request to a file with notepad.
- Run SQLmap using the -r option to pass the saved request file.
(On a real target, you may use --tamper, --level, --risk, and --random-agent to bypass the firewall. In that case, you must find the best combination of options.)
To patch this CVE, update to the latest version or modify the visitor_report_day.php code as shown in the image above.
This Vulnerability has reported on 6 January. The issue was patched on 7 January. A CVE was reserved on 21 February 2025.
Thats all from me, thankyou for reading my blog.
Hasta Luego, Broccolitos!!!