CVE-2018-13792
📋 TL;DR
This CVE describes multiple SQL injection vulnerabilities in ABBYY FlexiCapture's monitoring feature HTTP API. Attackers can execute arbitrary SQL commands via mask, sortOrder, filter, or Order parameters, potentially compromising the database. Organizations using ABBYY FlexiCapture versions before 12 Release 2 are affected.
💻 Affected Systems
- ABBYY FlexiCapture
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data manipulation, or full system takeover via SQL injection to remote code execution.
Likely Case
Database information disclosure, data manipulation, or privilege escalation within the application.
If Mitigated
Limited impact if proper input validation, parameterized queries, and network segmentation are implemented.
🎯 Exploit Status
SQL injection via HTTP parameters typically has low exploitation complexity; no public exploit code identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12 Release 2 (specifically build 12.0.2.1420 or later)
Vendor Advisory: http://www.abbyydownloads.com/fc12/ReleaseNotes_FC12_R2_U6_1299.29_build_12.0.2.1420.pdf
Restart Required: Yes
Instructions:
1. Download ABBYY FlexiCapture 12 Release 2 or later from official vendor sources. 2. Backup current configuration and data. 3. Install the updated version following vendor documentation. 4. Restart the application and verify functionality.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict access to the HTTP API monitoring feature to trusted IP addresses only.
Use firewall rules to limit access to the HTTP API port (typically 80/443) to authorized networks.
Input Validation WAF Rule
allImplement web application firewall rules to block SQL injection patterns in mask, sortOrder, filter, and Order parameters.
Configure WAF to detect and block SQL injection patterns in query parameters.
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries in custom code if possible.
- Disable the monitoring HTTP API feature entirely if not required for operations.
🔍 How to Verify
Check if Vulnerable:
Check ABBYY FlexiCapture version; if earlier than 12 Release 2 (build 12.0.2.1420), it is vulnerable.Check Version:
Check application version in ABBYY FlexiCapture interface or installation directory properties.Verify Fix Applied:
Verify installation of version 12 Release 2 or later and test HTTP API monitoring feature for SQL injection vulnerabilities.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- HTTP requests with suspicious parameters containing SQL keywords
Network Indicators:
- HTTP requests to monitoring API with SQL injection patterns in parameters
SIEM Query:
source="web_server" AND (url="*monitoring*" AND (param="*mask*" OR param="*sortOrder*" OR param="*filter*" OR param="*Order*") AND (content="*SELECT*" OR content="*UNION*" OR content="*INSERT*" OR content="*DELETE*"))