SQL injection vulnerabilities have been detected by Rapid7`s cybersecurity specialists in the SmartVista e-payments suite sold by Swiss-based BPC Banking Technologies. The flaws put sensitive information at risk of hacking.
The SmartVista platform is used by large organizations around the world for online banking, e-commerce, ATM and payment card management, and fraud prevention. The main components of SmartVista are Front-End and Back-Office systems.
Rapid7 has found that SmartVista Front-End, specifically version 2.2.10 revision 287921, is affected by two SQL injection flaws.
A hacker who has access to the SmartVista Front-End interface can exploit the vulnerabilities to obtain data stored in the backend database.
The “Transactions” page in the “Customer Service” section of SmartVista Front-End allows users to see the transactions details of a specified card or bank account. The fields where the card and account number are entered fail to sanitize user-supplied input.
This allows hackers to use specially crafted queries to get the application to display data from the backend database, including usernames, passwords, card numbers, and other transaction details.
Rapid7 specialists reported the vulnerabilities to BPC Banking Technologies on May 10, but the company has not yet released patches.
CERT/CC and SwissCERT also tried to contact the company, but without any success.