Vendor BPC Banking Silent on Patching SQL Injection in SmartVista Ecommerce Software

A popular ecommerce platform sold in 60 countries suffers from a SQL injection vulnerability privately disclosed in April that has yet to be patched by the vendor.

A popular ecommerce platform sold in 60 countries suffers from a SQL injection vulnerability privately disclosed in April that has yet to be patched by the vendor.

BPC Banking Technologies of Switzerland has not acknowledged the vulnerability in its SmartVista suite of ecommerce and financial software product, despite numerous reports from Rapid7, CERT/CC in the U.S., and SwissCERT throughout the summer. A request for comment made by Threatpost has also not been returned or acknowledged.

Rapid7 today publicly disclosed details on the bug, which requires an attacker be authenticated to a computer running the software in order to exploit it.

“This is not a system you would have exposed to the internet,” said Rapid7’s Samuel Huckins. “This is a huge suite of products used by customer service folks for processing transactions. The [attack] vector would be if someone’s machine got compromised and were signed in or otherwise had the credentials recorded, or if the credentials were lost and someone was able to access the instance from another machine.”

The software is deployed worldwide in a number of use-cases, including point-of-sales systems, retail, payment processing, ATM management and others. Given the potential for financial and data loss, Rapid7 decided to go public with its findings beyond the 60 days it normally allows vendors to at least acknowledge a vulnerability and report that a fix is forthcoming.

“After a certain point, we needed to move forward and make it public in the hope they see it and take action,” Huckins said, adding that Rapid7 has seen no evidence of the vulnerability being patched. “This could impact a lot of their customers who may not be aware of this at all.”

SQL injections remain a common web application vulnerability and despite rampant awareness of these bugs, they still remain a thorn.

Rapid7, meanwhile, published an advisory on the bug, describing how researcher Aaron Herndon found the flaw in the Transactions interface of the BPC SmartVista Front-End (SVFE). Version 2.2.10 revision 287921 is impacted, Rapid7 said.

The research report says the SQL injection bugs are time- and Boolean based and while exploiting them manually could be a chore, there are legitimate pen-testing tools such as SQLmap that automate the process.

The Transactions interface, Rapid7 said, includes three input fields where users may enter a payment card number, account number and transaction date. Huckins said two of the fields allow for any text, including SQL statements, to be entered, failing to sanitize input before passing it to the database query.

Rapid7 shared some examples where attackers could use Boolean true search term would return a list of transactions in some fields, while a false term would “No Data Found.” An attacker was not out of luck however given that a five-second delay would occur when Boolean true statements were provided while false statements returned a much faster page response. As a result, an attacker could brute-force query the database and expose information from accessible database tables.

From Rapid7’s report:

“For example, to access usernames and encrypted passwords in the DBA_USERS table of database SYS (Oracle specific), one could craft a series of database queries to ask true/false statements such as “Does the first character, of the first row, in the user’s column start with ‘a’?” On a true response, the transaction values would be returned, indicating that the first character does indeed start with ‘a’. On a false reply, no data would be returned, and the automated system could move on to the next character. This could continue until the full username has been discovered, as well as the password.”

The extent of exposure would hinge on the level of access the BPC SmartVista user has granted to them.

“We let this one go a bit longer mostly because we’re loathe to disclose vulnerabilities that don’t have a patch, especially when we don’t have any contact with the vendor,” Huckins said. “There’s a certain point when you hit the tradeoff of ‘We’ve done due diligence, they’re not responding or taking action and this is the only recourse. This is a bit of a sensitive area with financial transactions and we wanted to give them as much of a chance as we could.”

Suggested articles