CVE-2015-4341 – Scientia Web Server (SWS) SQL injection vulnerability

We discovered a SQL injection vulnerability in the web server component of the Scientia Syllabus+ timetabling product, Scientia Web Server (SWS). Insufficient input checking of user-controlled filter options allows execution of arbitrary SQL commands.

Impact

The SQL injection vector allows full read access to the timetabling reporting database in affected versions of SWS. Certain configurations, mostly in older versions, use an account with db.owner privileges that allows full (read and write) access to the timetabling database including its schema. In addition, there are common configurations using default database account passwords, which allows escalation to full database access even when a read-only account is used. Depending on other available databases, database users, and database patch levels, further privilege escalation could result in access to other databases and/or operating system command execution.

Affected versions

SWS versions earlier than 2.0.34 and versions between 2.0.41 up to 2.0.49 are affected by this vulnerability. Certain installations might be unaffected if no vulnerable filter options are configured.

Solution

Affected installations should be upgraded to the most recent version of SWS, but at least to version 2.0.49. Furthermore we recommend ensuring a read-only database user is used by SWS, as well as ensuring that there are no database users in a default password configuration.

Timeline

  • 2015-06-05: Initial discovery
  • 2015-06-05: Contacted Scientia
  • 2015-06-11: First reply from Scientia support
  • 2015-06-19: First reply from Scientia Technical Consultant
  • 2015-07-14: Verified fix in SWS development version
  • 2015-12-03: Public disclosure
Written on 3 December 2015