Source: cve@mitre.org
Multiple SQL injection vulnerabilities in Open Constructor 3.12.0 allow remote authenticated users to execute arbitrary SQL commands via the id parameter to (1) data/gallery/edit.php, (2) data/guestbook/edit.php, (3) data/file/edit.php, (4) data/htmltext/edit.php, (5) data/publication/edit.php, or (6) data/event/edit.php.
Open Constructor 3.12.0 suffers from multiple SQL injection vulnerabilities, allowing authenticated attackers to execute arbitrary SQL commands. Successful exploitation could lead to complete database compromise, including data theft, modification, and potentially server takeover, impacting the confidentiality, integrity, and availability of the affected system.
Step 1: Authentication: The attacker must first authenticate to the Open Constructor application, likely by obtaining valid credentials or exploiting another vulnerability to bypass authentication.
Step 2: Payload Construction: The attacker crafts a malicious SQL injection payload designed to achieve a specific goal, such as retrieving sensitive data (e.g., usernames, passwords), modifying data, or executing arbitrary commands on the database server.
Step 3: Payload Delivery: The attacker sends a crafted HTTP request to one of the vulnerable edit.php files (e.g., data/gallery/edit.php) with the malicious SQL payload injected into the id parameter.
Step 4: Query Execution: The vulnerable PHP script receives the request and incorporates the attacker's input (the malicious SQL payload) directly into an SQL query without proper sanitization.
Step 5: Database Interaction: The database server executes the modified SQL query, which now includes the attacker's malicious code.
Step 6: Result Retrieval: The database server returns the results of the executed query, which may include sensitive data, modified data, or an error message indicating successful exploitation.
The vulnerability stems from a failure to properly sanitize user-supplied input before incorporating it into SQL queries. Specifically, the id parameter in several edit.php files across different data modules (gallery, guestbook, file, htmltext, publication, and event) is directly used in SQL queries without any input validation or escaping. This allows an attacker to inject malicious SQL code through the id parameter. The root cause is a lack of parameterized queries or prepared statements, which would prevent the attacker's input from being interpreted as SQL commands. The absence of input validation, such as checking the data type or length of the id parameter, further exacerbates the issue. This allows for a wide range of SQL injection techniques, including retrieving sensitive data, modifying existing data, and potentially gaining unauthorized access to the underlying database server.
While no specific APT groups are directly linked to this CVE, the ease of exploitation makes it attractive to a wide range of attackers, including script kiddies and financially motivated cybercriminals. The vulnerability could be used as part of a larger attack chain. Not listed on CISA KEV.
Web application firewall (WAF) logs showing suspicious SQL injection attempts, such as the use of common SQL injection keywords (e.g., SELECT, UNION, OR, AND) in the id parameter of requests to the vulnerable edit.php files.
Database server logs revealing unusual query activity, such as unexpected queries or queries containing malicious payloads.
Network traffic analysis identifying HTTP requests with suspicious payloads in the id parameter.
Intrusion detection system (IDS) alerts triggered by SQL injection signatures.
File integrity monitoring (FIM) to detect unauthorized modifications to the database or web application files.
Upgrade to a patched version of Open Constructor or the latest available version, if one exists. Check the vendor's website for updates.
Implement parameterized queries or prepared statements to prevent SQL injection. This separates the SQL code from the user-supplied input.
Sanitize all user-supplied input before using it in SQL queries. This includes escaping special characters and validating the data type and length of the input.
Implement a web application firewall (WAF) to filter malicious requests.
Regularly scan the web application for vulnerabilities using automated tools.
Review and harden the database server configuration, including limiting user privileges and enabling auditing.
Implement a strong password policy and enforce multi-factor authentication (MFA) for all user accounts.
Monitor web server and database server logs for suspicious activity.