Vulnerability Identification and Details

• Vendor: Labvantage
• Product: Labvantage LIMS
• Affected Endpoint: /labvantage/rc?command=page&page=SampleList&_iframename=list
• Vulnerable Parameter: param1
• Vulnerability Type: SQL Injection

Vulnerability Overview

SQL Injection is a critical security vulnerability that occurs when an application includes user-supplied data in SQL queries without proper validation or escaping. This flaw allows attackers to manipulate the SQL query and execute arbitrary SQL code, potentially gaining unauthorized access to the database, exfiltrating data, or modifying database contents.

Specific Vulnerability in Labvantage LIMS

In the Labvantage LIMS product, the SQL injection vulnerability was found in the param1 parameter of the POST request to the endpoint /labvantage/rc?command=page&page=SampleList&_iframename=list.

Reproduction of the Attack

The following steps were used to identify and confirm the SQL injection vulnerability in the param1 parameter of the POST request to the affected endpoint. The testing was conducted using Burp Suite.

Step 1: Normal Request

1. Description: A normal request was made with param1 set to a regular integer value 97822.
2. Observation: The size of the response was recorded.

Figure 1: When we put in param1=97822, the size of the response is shown.

Step 2: Injection with OR Clause

1. Description: The parameter param1 was modified to include an SQL injection payload: param1=97822')+OR+('1'='1.
2. Observation: The response showed that all items were returned, and the size of the response was significantly greater than the normal response. This indicates that the injection was successful and the query was altered to always return true.