Rapid7 has gone public with news of an e-commerce SQL injection vulnerability, saying it couldn't raise a response from the vendor.
The software in question, SmartVista, is an e-commerce and financial product from BPC Banking, and in this post, Rapid7 says it told the company about the issue back in May 2017.
The US CERT Coordination Centre and SwissCERT joined the security company's effort to alert the Switzerland-based vendor in July and August, ahead of yesterday's disclosure.
While exploiting the vulnerability needs authenticated access to the front end (SmartVista's transactions), the attacker can pass through to much more sensitive data: “A successful exploitation can yield sensitive data, including usernames and passwords of the database backend”.
That's because the front end doesn't sanitise the card number or account number input fields used in the transaction module.
An attacker adept at scripting could go a long way, the post explains:
“To access usernames and encrypted passwords in the DBA_USERS table of database SYS (Oracle specific), one could craft a series of database queries to ask true/false statements such as 'Does the first character, of the first row, in the user’s column start with a?'
"On a true response, the transaction values would be returned, indicating that the first character does indeed start with ‘a’. On a false reply, no data would be returned, and the automated system could move on to the next character. This could continue until the full username has been discovered, as well as the password.”
Since there's no public acknowledgement of the bug, Rapid7 suggests companies using the software contact BPC Banking. Suitable Web application firewalls could help block SQL injection attempts. ®