Potential SQL Injection in Your GitHub Project

[ParisaMomeni]

As part of an automated scan, a file in one of your GitHub repositories was flagged as being potentially exploitable via SQL injection. An attacker might inject carefully crafted SQL code to read, modify, or delete the database. A link to the relevant file is attached.

Flagged file: https://github.com/DESUP2/Telecommunication-Management/raw/02a06f71ea6bec0a677961faf2378bf855ea63b4/Management%20Systems/Telecommunication%20Management%20System/Staff.cs

For more information on preventing SQL injection attacks, please see the OWASP SQL Injection Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

For more information on SQL-IDIAs, please see our research paper: https://cse.usf.edu/~ligatti/papers/SQL-IDIA.pdf

For questions or a proof of concept, please email me and Kevin (kevindennis@usf.edu).

Sincerely,

Parisa Momeni parisamomeni@usf.edu Ph.D. Student, Computer Science and Engineering University of South Florida

[DESUP2]

Sql injection does not happen automatically. Some body has to trigger it to a target system. Who triggered it. On your request i shall review this to identify anything misleading in the application.

Regards Supradip dey.

বৃহস্, 25 জানু., 2024 6:06 AM তারিখে ParisaMomeni @.***> লিখেছেন:

As part of an automated scan, a file in one of your GitHub repositories was flagged as being potentially exploitable via SQL injection. An attacker might inject carefully crafted SQL code to read, modify, or delete the database. A link to the relevant file is attached.

Flagged file: https://github.com/DESUP2/Telecommunication-Management/raw/02a06f71ea6bec0a677961faf2378bf855ea63b4/Management%20Systems/Telecommunication%20Management%20System/Staff.cs

For more information on preventing SQL injection attacks, please see the OWASP SQL Injection Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

For more information on SQL-IDIAs, please see our research paper: https://cse.usf.edu/~ligatti/papers/SQL-IDIA.pdf

For questions or a proof of concept, please email me and Kevin ( @.***).

Sincerely,

Parisa Momeni @.*** Ph.D. Student, Computer Science and Engineering University of South Florida

— Reply to this email directly, view it on GitHub https://github.com/DESUP2/Telecommunication-Management/issues/1, or unsubscribe https://github.com/notifications/unsubscribe-auth/AXIO5MTU5XZOMXTWRJ73O3TYQGSJ5AVCNFSM6AAAAABCJUW5V6VHI2DSMVQWIX3LMV43ASLTON2WKOZSGA4TSMZVG44DMNA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[DESUP2]

We have emerged towards advanced coding of application server, customized database server. And you still struck at sql injection etc. Think big try to do something advanced.

Regards Supradip dey

বৃহস্, 25 জানু., 2024 12:57 PM তারিখে Supradip Dey @.***> লিখেছেন:

Sql injection does not happen automatically. Some body has to trigger it to a target system. Who triggered it. On your request i shall review this to identify anything misleading in the application.

Regards Supradip dey.

বৃহস্, 25 জানু., 2024 6:06 AM তারিখে ParisaMomeni < @.***> লিখেছেন:

As part of an automated scan, a file in one of your GitHub repositories was flagged as being potentially exploitable via SQL injection. An attacker might inject carefully crafted SQL code to read, modify, or delete the database. A link to the relevant file is attached.

Flagged file: https://github.com/DESUP2/Telecommunication-Management/raw/02a06f71ea6bec0a677961faf2378bf855ea63b4/Management%20Systems/Telecommunication%20Management%20System/Staff.cs

For more information on preventing SQL injection attacks, please see the OWASP SQL Injection Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

For more information on SQL-IDIAs, please see our research paper: https://cse.usf.edu/~ligatti/papers/SQL-IDIA.pdf

For questions or a proof of concept, please email me and Kevin ( @.***).

Sincerely,

Parisa Momeni @.*** Ph.D. Student, Computer Science and Engineering University of South Florida

— Reply to this email directly, view it on GitHub https://github.com/DESUP2/Telecommunication-Management/issues/1, or unsubscribe https://github.com/notifications/unsubscribe-auth/AXIO5MTU5XZOMXTWRJ73O3TYQGSJ5AVCNFSM6AAAAABCJUW5V6VHI2DSMVQWIX3LMV43ASLTON2WKOZSGA4TSMZVG44DMNA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[DESUP2]

Dear kevin,

I personally appreciate your step of reviewing code of telecom management project but almost all are sql statements. Again if you want to leverage your knowledge you must find code of notepad paint office word excel video edit codec compression enceyption database application server email server and so on.

Your phd subject is very old fashioned. Think big do some advanced research.

Thanks Supradip dey

বৃহস্, 25 জানু., 2024 6:06 AM তারিখে ParisaMomeni @.***> লিখেছেন:

As part of an automated scan, a file in one of your GitHub repositories was flagged as being potentially exploitable via SQL injection. An attacker might inject carefully crafted SQL code to read, modify, or delete the database. A link to the relevant file is attached.

Flagged file: https://github.com/DESUP2/Telecommunication-Management/raw/02a06f71ea6bec0a677961faf2378bf855ea63b4/Management%20Systems/Telecommunication%20Management%20System/Staff.cs

For more information on preventing SQL injection attacks, please see the OWASP SQL Injection Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

For more information on SQL-IDIAs, please see our research paper: https://cse.usf.edu/~ligatti/papers/SQL-IDIA.pdf

For questions or a proof of concept, please email me and Kevin ( @.***).

Sincerely,

Parisa Momeni @.*** Ph.D. Student, Computer Science and Engineering University of South Florida

— Reply to this email directly, view it on GitHub https://github.com/DESUP2/Telecommunication-Management/issues/1, or unsubscribe https://github.com/notifications/unsubscribe-auth/AXIO5MTU5XZOMXTWRJ73O3TYQGSJ5AVCNFSM6AAAAABCJUW5V6VHI2DSMVQWIX3LMV43ASLTON2WKOZSGA4TSMZVG44DMNA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[ParisaMomeni]

In the above file, there is one or more instances where string.format is used to directly insert user input into a SQL Query. A malicious user COULD inject malicious SQL code. In this scenario, we recommend using prepared statements, as described in the OWASP link, to safeguard against such malicious behavior. Note that we are NOT saying such an incident as occurred, only that it might be possible.

[DESUP2]

In such case programmer have 2 ways to generate sql cose before triggering this. One : by invoking sql code fro os level text file and second : describe variable as sql text and invoke the variable and trigger it.

You may adopt some different ways of implementing the same.

Regards, Supradip dey

শুক্র, 26 জানু., 2024 12:11 AM তারিখে ParisaMomeni @.***> লিখেছেন:

In the above file, there is one or more instances where string.format is used to directly insert user input into a SQL Query. A malicious user COULD inject malicious SQL code. In this scenario, we recommend using prepared statements, as described in the OWASP link, to safeguard against such malicious behavior. Note that we are NOT saying such an incident as occurred, only that it might be possible.

— Reply to this email directly, view it on GitHub https://github.com/DESUP2/Telecommunication-Management/issues/1#issuecomment-1910780301, or unsubscribe https://github.com/notifications/unsubscribe-auth/AXIO5MSUTB3Y542P6KN4JSTYQKRPDAVCNFSM6AAAAABCJUW5V6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJQG44DAMZQGE . You are receiving this because you commented.Message ID: @.***>

[DESUP2]

The GSM network architecture consists of different elements that all interact together to form the overall GSM system. These include elements like the base-station, BSC, MSC, AuC, HLR, VLR, etc. This application is just usable end user like application. You can update this according to your requirements. This will require small campus telecom facility advisable like MDC-3281/EMDC-3296 – TELECOM Telecommunication Networks Training System and for that you may require funding from University of South Florida.