A SQL injection vulnerability exists in REDCap versions 7.0.0 – 7.0.10.  This has been designated CVE-2017-7351.

What is REDCap?

According to https://projectredcap.org, 2018:

“REDCap is a secure web application for building and managing online surveys and databases. While REDCap can be used to collect virtually any type of data (including 21 CFR Part 11, FISMA, and HIPAA-compliant environments), it is specifically geared to support online or offline data capture for research studies and operations.”

Redcap stands for Research Electronic Data CAPture and is used by a large variety of organisations around the world. At the time of writing, their website claims to have 2,669 institutions which collaborate in the development and use of this software.
The vast majority of the user-base for this application appear to be operating within either the Educational or Medical sectors.

What is the vulnerability?

The vulnerability identified allows an attacker to inject code into the main database of the application. This unfiltered communication to the database provides the capability to access and read all information stored within.
Accessing the database does require a valid user account, however a user with any level of privilege can be used in order to carry out the attack.

Why is this bad?

Despite an attacker only being capable of reading the information within the database, this could provide them with the means to escalate privileges within the application by dumping the usernames and password hashes stored within. Should they successfully manage to obtain this data, the attacker only needs to crack the hash in order to receive increased privileges.

In addition to other credentials being enumerable, an attacker would also have raw access to other tables within the database; including those storing the information gathered by the institutions. This could result in unauthorised access of confidential information, potentially resulting in legal ramifications.

How do I fix this?

Fortunately, a mitigation for this vulnerability has already been implemented in version 7.0.11 of REDCap. If your institution is running an outdated version of the software then it is heavily advised that it is patched to the latest available version.

The technical stuff

The file upload handler SendITController:upload on versions 7.0.X through 7.0.10 of REDCap does not perform sufficient sanitization on user input.
This allows an attacker to conduct blind, time-based SQL injection; providing sufficient time is provided, this could result in full enumeration of confidential data including usernames, password hashes, password reset questions and logs.
Exploitation of this vulnerability requires access to a registered account; however, that account requires no special privileges.
This proof of concept causes vulnerable versions of the application to hang for 5 seconds:
route=SendItController:upload' AND SLEEP(5) AND '1'='1
Identification of this vulnerability was performed on version 7.0.5, however REDCap confirmed that the handler was initially implemented in version 7.0.0, with the security mitigations being introduced in version 7.0.11.

Timeline

  • Initial contact: 23/03/2017 @ 11:00 UTC
  • Response from technical team: 26/03/2017 @ 22:00 UTC
  • CVE reservation acquired: 30/03/2017
  • Vulnerability was patched in version 7.0.11
  • Public Disclosure: 08/02/2018