Source: disclosure@vulncheck.com
DIGIT CENTRIS ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the datum1, datum2, KID, and PID parameters. Attackers can send POST requests to /korisnikinfo.php with malicious SQL syntax in these parameters to extract or modify sensitive database information.
Unauthenticated attackers can exploit a critical SQL injection vulnerability in DIGIT CENTRIS ERP to gain unauthorized access to sensitive database information. This flaw allows malicious actors to manipulate database queries via crafted POST requests, potentially leading to data breaches, system compromise, and financial loss.
Step 1: Payload Delivery: The attacker crafts a malicious POST request to /korisnikinfo.php. This request includes specially crafted SQL injection payloads within the datum1, datum2, KID, and/or PID parameters.
Step 2: Request Processing: The vulnerable PHP script /korisnikinfo.php receives the POST request and retrieves the values of the specified parameters.
Step 3: Query Construction: The script constructs SQL queries using the parameter values without proper sanitization. The attacker's injected SQL code is directly incorporated into the query string.
Step 4: Query Execution: The database server executes the maliciously crafted SQL query. The injected SQL code is interpreted and executed by the database.
Step 5: Data Exfiltration/Modification: Depending on the injected SQL payload, the attacker can extract sensitive data (e.g., usernames, passwords, financial records), modify existing data, or potentially gain further control over the system.
The vulnerability stems from insufficient input validation and sanitization of user-supplied data within the /korisnikinfo.php script. Specifically, the script directly incorporates the values of the datum1, datum2, KID, and PID parameters into SQL queries without proper escaping or filtering. This allows an attacker to inject malicious SQL code, altering the intended query logic and enabling actions such as data extraction, modification, or even remote code execution if the database user has sufficient privileges. The root cause is a failure to implement parameterized queries or prepared statements, which would prevent the interpretation of user input as SQL commands. The lack of input validation allows for the injection of SQL syntax, leading to unauthorized database access.
While no specific APTs are directly linked in the provided information, the nature of the vulnerability makes it attractive to a wide range of threat actors, including those seeking financial gain or data theft. The vulnerability's potential for data breaches and system compromise makes it a likely target for both opportunistic and targeted attacks. CISA KEV status is highly probable if the vulnerability is actively exploited.
Network Intrusion Detection Systems (NIDS) should be configured to detect SQL injection attempts. Look for suspicious patterns in HTTP POST requests to /korisnikinfo.php, including the presence of SQL keywords (e.g., SELECT, UPDATE, INSERT, DELETE, UNION, OR, AND) within the datum1, datum2, KID, and PID parameters.
Web Application Firewalls (WAFs) can be deployed to filter malicious requests. Implement rules to block requests containing SQL injection payloads.
Review web server access logs for unusual activity, such as a high volume of requests to /korisnikinfo.php or requests containing suspicious parameter values.
Monitor database server logs for unexpected queries or errors that may indicate SQL injection attempts.
Implement file integrity monitoring to detect any unauthorized changes to the /korisnikinfo.php file or related files.
Implement parameterized queries or prepared statements in all database interactions. This prevents the interpretation of user-supplied data as SQL code.
Thoroughly validate and sanitize all user-supplied input. This includes filtering special characters and escaping potentially harmful characters.
Apply the latest security patches provided by the vendor. This may include fixes for the SQL injection vulnerability.
Implement a Web Application Firewall (WAF) to filter malicious requests.
Enforce the principle of least privilege for database users. Limit the permissions of the database user used by the application to only the necessary operations.
Regularly scan the application for vulnerabilities using automated tools.
Conduct penetration testing to identify and address security weaknesses.