fineract v1.1.0 SQL Injection


Recent days avikganguly01 has committed 3 fix patches into fineract project in Github. These patches have fixed SQL injection vulnerabilities in three positions. The framework used to be the Core Banking System (CBS) which is customer-centric, core transaction system that handles accounting, meet the integrated teller system, and provides 24-hour service.

And the vulnerabilities which are fixed recent days are given CVE ID: CVE-2018-1290,CVE-2018-1291,CVE-2018-1292. All of them belongs to SQL injection vulnerability.



The vulnerable function is sqlEncodeString() which uses apostrophe and double quote to validate the SQL statement input. Evidently, this function is always used in user input function which means it will eventually import malicious payload from users' input.



The vulnerable function is getReportType().

From the code review, the parameter reportName is the key point which result in the SQL vulnerability. Trace the call hierarchy and find the function runReport().

Go into the function and check, it shows that the function uses the annotation type method to definite the parameter in users' input. It is apparent GET method and its parameter is reportName, the URL path is /runreports.



The vulnerable function is retrieveDataTableGenericResultSet()。

It can be checked here that the vulnerable parameter is order. Trace the call hierarchy and find two functions import the vulnerable parameter.

And all of these two calls are under the path of /database.

The first vulnerability is in the path of /datatables/apptableId, the parameter is order and the HTTP method is GET.

The second vulnerability is in the path of /datatables/apptableId/datatableId,the parameter is order and the HTTP method is GET.

Fineract Security Function Analysis

It can be checked out that the three vulnerabilities are fixed by different security functions.

  1. validateSQLInput()
  2. validateSqlInjection()

Function validateSQLInput() firstly check if the input contained malicious character, it would throw an exception.

And thus use a variable injectionFound to mark whether the input contains SQL payload via the above function. Token is used to test the SQL statement. Once the code discovers the malicious character the variable injectionFound will be assigned to the value true and the an exception will be thrown out.

Actually function validateSqlInjection() call function validateSQLInput() to control the vulnerable parameter, that is validate the user input. So the key security function is function validateSQLInput(). The function validateSqlInjection() also do some other validations in SQL statement.