-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2016-001
Product: sam*
Vendor: secova
Affected Version(s): 5.8.2 and below
Tested Version(s): 5.7.11
Vulnerability Type: SQL Injection (CWE-89)
Risk Level: High
Solution Status: Fixed
Vendor Notification: 2016-01-08
Solution Date: 2016-04-18
Public Disclosure: 2016-05-24
CVE Reference: Not assigned
Author of Advisory: Franz G. Jahn, SySS GmbH, https://www.syss.de/advisories/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

An SQL Injection vulnerability could be identified in the sam*
application.

The sam* application is described as follows [2]:

"sam* is an electronic documentation system and is used primarily in the
areas of health and safety, occupational safety, occupational health,
environmental protection, quality waste management and HR.
(Keyword: EHS Software)
All essential operational requirements for companies are ideally
satisfied with sam*. sam* dovetails the most important main and sub-
disciplines (ISO, OHSAS, knowledge logistics and legal compliance) with
one another."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SySS GmbH found an SQL injection vulnerability in the data retrieval
of the sam* application. The vulnerability can be exploited by
authenticated users.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following post request causes an error message which shows that the
user input is used inside an SQL query without proper escaping:

POST /libs/sam/common/dispatchRequest.php?controller=Sam_Measure_Controller_MeasureController&module=getResponsibleMeasuresExplicit HTTP/1.1
Host: <Host>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: PHPSESSID=<validSessionId>
Connection: close
Pragma: no-cache
Cache-Control: no-cache

areaList=%7B%22data%22%3A%22open%22%7D&data=open&start=0&limit=10&anode=&sort=gmId,+foobar+invalid+SQL&dir=&area=common,

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Upgrade to version 5.8.3 or later

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-12-22: Vulnerability discovered
2016-01-08: Vulnerability reported to vendor
2016-04-18: Release of a fixed version
2016-05-24: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] SySS GmbH, SYSS-2016-001
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-001.txt
[2] Vendor description of sam*
    https://www.secova.de/en/home/what-is-sam/
[3] SySS GmbH, SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:


Security vulnerability found by Franz G. Jahn of the SySS GmbH.

E-Mail: franz.jahn (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Franz_Jahn.asc
Key ID: 0xD06A14DE
Key Fingerprint: 2D26 E435 DF7F 572D A0C9 1DE8 D5A6 1496 D06A 14DE

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXQzpKAAoJENWmFJbQahTeIIMP/Rq1woMK/bJ1XGQgQrCAsNul
/Mkm7znz4Jn0KT9XSzpISex0HXJouXUYm7bhj3EHE+oeRBrseqlarsLe1Ign/tXQ
L9PckVLbD3B9/Y+De50P+WUY5FXpNBeGVRQjulf90Qlqb87C2ENlz/8pp2GDG4zs
//cL1HDlgCIIwZJ+pl4UWRn8oNz8pGqGAw9Y7RsMXDVcCsxVI/nl4AFRtsmgvboY
airGcJdtewhDMcNMtFCwe6eeDzPy2uA/0AyuJ5DVCSvfvG2sA098nAs3tkZq9fha
rABJgO1CCzkZohtvrvCFZzCJeBTg2yRTSF4Sz9rVCTyEq3sUlWawuHbQ4Q61YzYb
yXRF7HFG4JaeMhZnkIaC7CcSAmTwZ3PZjO4RLZZldcxCi0oPfvJTUYkTFwwiKiQa
pUrKz15WEX1c0UWkv4mi3iemQIID5hEX6pb5YvZ9C8+dlGho+kO1a+Rq/i1SzOhB
dKVDNKi4dyh6OqMvPN6pdGZ1XEv0xKyOjx9Ga+GOnRR/nl6WlnUFKKNm9g+0RoA/
++FbyXeo1iCoOJAiZDJlHVKo/MCFGcHYgYAHNTurUKFrIOOqqfftGzxl0HpaEqr5
63w6VAc2/b/sUOQayVMW4bPBUIqqieBu7osHapdE5Jb7SQUyOOj/5VTZq1UzJW4r
5L4eV8Ns1+qiTwiZ5Wft
=N5x9
-----END PGP SIGNATURE-----