CVE-2019-13489
📋 TL;DR
CVE-2019-13489 is a SQL injection vulnerability in Trape tracking software that allows attackers to execute arbitrary SQL commands via the data[2] parameter. This affects all Trape installations up to May 8, 2019. Attackers can potentially read, modify, or delete database contents.
💻 Affected Systems
- Trape (people tracking tool)
📦 What is this software?
Trape by Trape Project
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, authentication bypass, remote code execution via database functions, and full system takeover.
Likely Case
Database information disclosure, session hijacking, and privilege escalation through SQL injection.
If Mitigated
Limited impact with proper input validation, parameterized queries, and database user privilege restrictions.
🎯 Exploit Status
The vulnerability is well-documented in GitHub issues with specific parameter details. SQL injection is a common attack vector with many automated tools available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2019-05-08
Vendor Advisory: https://github.com/jofpin/trape/issues/168
Restart Required: Yes
Instructions:
1. Update Trape to the latest version from the official GitHub repository. 2. Replace the vulnerable core/db.py file with the patched version. 3. Restart the Trape service.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to sanitize the data[2] parameter before processing
# Add parameterized queries or input validation in core/db.py
# Example: Use prepared statements instead of string concatenation
Web Application Firewall
allDeploy WAF rules to block SQL injection patterns in requests
# Example ModSecurity rule: SecRule ARGS:data[2] "@detectSQLi" "id:1001,phase:2,deny"
🧯 If You Can't Patch
- Isolate the Trape instance behind a firewall with strict access controls
- Implement database user privilege restrictions to limit potential damage
🔍 How to Verify
Check if Vulnerable:
Check if Trape version date is 2019-05-08 or earlier, or test with SQL injection payloads against the /bs endpoint with t parameterCheck Version:
Check the installation date or version metadata in the Trape directoryVerify Fix Applied:
Verify Trape version is after 2019-05-08 and test that SQL injection attempts no longer succeed📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts from single IP
- Requests with SQL keywords in data[2] parameter
Network Indicators:
- HTTP requests containing SQL injection patterns in parameters
- Unusual database connection patterns from web server
SIEM Query:
source="web_logs" AND (url="/bs" AND (param="t" CONTAINS "UNION" OR param="t" CONTAINS "SELECT" OR param="t" CONTAINS "--"))