Hacking

Swiss BPC banking software SmartVista is vulnerable to SQL Injection attacks

The suite of payment infrastructure and management systems SmartVista created by the BPC Group is vulnerable to SQL Injection attacks.

Researchers at security firm Rapid7 have publicly disclosed a SQL injection vulnerability affecting the financial platform SmartVista after they couldn’t raise a response from the vendor.

SmartVista is a suite of payment infrastructure and management systems created by BPC Group.

SmartVista is a financial product from BPC Banking, Rapid7 experts analyzed it and reported the flaws to the vendor back in May 2017.

The US CERT Coordination Centre and SwissCERT published an alert after the public disclosure of the flaw.

Even if the vulnerability can be triggered only by a user authenticated to the front end (SmartVista’s transactions), the attacker can pass access sensitive data.

“Today we are announcing a SQL injection vulnerability discovered in BPC’s SmartVista, a suite of products related to e-commerce and other financial transaction operations.” reads the analysis published by” Rapid7. Exploiting this vulnerability requires authenticated access to the Transactions portion of SmartVista Front-End. A successful exploitation can yield sensitive data, including usernames and passwords of the database backend. This vulnerability is characterized as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).”.

Users authenticated to the platform with access to the Transactions interface are provided with three input fields:

  • “Card Number”
  • “Account Number”
  • “Transaction Date from”

Rapid7 experts discovered that the front end lack of input validation, it doesn’t sanitize the card number or account number input fields used in the transaction module.

The Card Number field only accepts the exact card number to provide output. The researchers noticed that without knowing a card number beforehand, an attacker can launch a Boolean-based SQL injection through this field.

However, the database responded with a five second delay when Boolean true statements (such as ‘ or ‘1’=’1) were provided, resulting in a time-based SQL injection vector.

An attacker can use this trick to brute-force query the database, allowing information from accessible tables to be exposed.

An attacker adept at scripting could go a long way, the post explains:

“to access usernames and encrypted passwords in the DBA_USERS table of database SYS (Oracle specific), one could craft a series of database queries to ask true/false statements such as “Does the first character, of the first row, in the user’s column start with ‘a’?” On a true response, the transaction values would be returned, indicating that the first character does indeed start with ‘a’. On a false reply, no data would be returned, and the automated system could move on to the next character. This could continue until the full username has been discovered, as well as the password.” continues the analysis.

Rapid7 suggests companies using the SmartVista to press BPC Banking to issue a security update, meantime the adoption of a Web Application Firewalls (WAF) could help to protect the platform from SQL injection attacks.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – SmartVista, SQL Injection)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

2 hours ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

6 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

20 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.