Source: cna@vuldb.com
A security flaw has been discovered in a54552239 pearProjectApi up to 2.8.10. Affected is the function dateTotalForProject of the file application/common/Model/Task.php of the component Backend Interface. The manipulation of the argument projectCode results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
A critical SQL injection vulnerability exists in the pearProjectApi up to version 2.8.10, allowing for remote code execution by manipulating the projectCode argument. This flaw, located in the dateTotalForProject function, enables attackers to compromise the backend database and potentially gain full control of the affected system due to the vendor's lack of response.
Step 1: Payload Delivery: The attacker crafts a malicious projectCode string containing SQL injection code. This payload is designed to manipulate the SQL query executed by the dateTotalForProject function.
Step 2: Request Submission: The attacker sends a specially crafted HTTP request to the vulnerable Backend Interface, targeting the endpoint that calls the dateTotalForProject function and passing the malicious projectCode as an argument.
Step 3: Query Execution: The application, lacking proper input validation, incorporates the attacker's projectCode directly into an SQL query. The injected SQL code is then executed by the database server.
Step 4: Data Exfiltration/Manipulation: Depending on the injected SQL, the attacker can achieve various objectives, such as retrieving sensitive data (e.g., usernames, passwords, financial information), modifying database records, or potentially gaining remote code execution on the database server itself.
The vulnerability stems from insufficient input validation and sanitization of the projectCode parameter within the dateTotalForProject function in application/common/Model/Task.php. The function directly incorporates the user-supplied projectCode into an SQL query without proper escaping or filtering. This allows an attacker to inject malicious SQL code, altering the intended query logic and potentially retrieving sensitive data, modifying database contents, or even executing arbitrary commands on the database server. The lack of vendor response exacerbates the risk, as no official patches or mitigations are available.
Due to the public exploit and lack of vendor response, this vulnerability is likely to be targeted by a wide range of threat actors, including both opportunistic attackers and more sophisticated groups. There is no specific APT attribution available at this time. CISA KEV: Not Listed
Monitor web server logs for suspicious HTTP requests containing SQL injection payloads in the projectCode parameter, such as common SQL injection keywords (e.g., SELECT, UNION, OR 1=1, DROP).
Implement a Web Application Firewall (WAF) to filter malicious requests based on known SQL injection patterns and signatures.
Analyze database server logs for unusual query activity, such as unexpected queries, errors, or attempts to access sensitive tables.
Monitor network traffic for unusual patterns, such as large data transfers from the database server or suspicious connections to external hosts.
Implement robust input validation and sanitization for the projectCode parameter. This should include escaping special characters, using parameterized queries (prepared statements), and whitelisting allowed characters or patterns.
Upgrade to a patched version of pearProjectApi if one becomes available. Since the vendor has not responded, this is unlikely.
If possible, implement a Web Application Firewall (WAF) to filter malicious requests.
Review and harden the database server configuration, including limiting user privileges and enabling auditing.
Consider migrating to a different API or library if the vendor does not provide a fix.