Researchers recently identified a significant SQL injection vulnerability within Apple’s Book Travel portal, presenting a notable security risk. This vulnerability was part of the broader attack surface found in Apple’s environment, specifically via the JSON API that interacts with various internal functions. The security flaw allowed for unauthorized SQL queries to be executed, leading to the potential for remote code execution (RCE). This discovery was highlighted in a detailed examination shared on the ProjectDiscovery Cloud Platform blog, where researchers outlined the steps used to pinpoint vulnerable SQL injection sinks.
The process of identifying the vulnerability involved parsing through CFM/CFC files and analyzing each SQL statement within the code. Specifically, researchers looked for ‘cfquery’ tags that lacked proper parameterization, making them susceptible to SQL injections if no additional validations were in place. They further explored the application’s behavior under different conditions, such as manipulating the ‘previewID’ parameter to set the ‘isOnDisplay’ property to true, which was crucial for the exploitation of the vulnerability.
Upon discovering the SQL injection flaw, the researchers were able to exploit it to perform remote code execution successfully. They reset an administrator’s password, obtained necessary tokens and IDs through SQL injection, and used this information to reset the password via the portal’s endpoint. Additionally, they uploaded CFM files using a plugin installation feature, further demonstrating the severity of the security flaw.
The findings were promptly communicated to Apple and the teams responsible for Masa and Mura CMS. Apple addressed the issue within two hours of the initial report, showcasing a swift response to the security threat. On the other hand, Masa, an open-source fork of Mura CMS, released an updated version of the CMS that included necessary security fixes. However, attempts to contact the Mura team about the vulnerabilities were unsuccessful, receiving no response from them.
