CVE-2020-13567
📋 TL;DR
CVE-2020-13567 is a critical SQL injection vulnerability in phpGACL 3.3.7 that allows attackers to execute arbitrary SQL commands via specially crafted HTTP requests. This affects all systems running the vulnerable phpGACL version, potentially compromising database integrity and confidentiality. Attackers can exploit this without authentication to manipulate or extract sensitive data.
💻 Affected Systems
- phpGACL (Generic Access Control Lists for PHP)
📦 What is this software?
Openemr by Open Emr
Openemr by Open Emr
Phpgacl by Phpgacl Project
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, modification, deletion, or potential remote code execution if database functions allow it.
Likely Case
Unauthorized data access, privilege escalation, and potential administrative control over the phpGACL system.
If Mitigated
Limited impact with proper input validation, parameterized queries, and network segmentation in place.
🎯 Exploit Status
SQL injection vulnerabilities are commonly weaponized, and public PoC details exist in the Talos reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.3.8 or later
Vendor Advisory: https://github.com/phpGACL/phpGACL
Restart Required: No
Instructions:
1. Backup current phpGACL installation and database. 2. Download phpGACL 3.3.8 or later from official repository. 3. Replace vulnerable files with patched version. 4. Verify functionality and test access controls.
🔧 Temporary Workarounds
Input Validation Filter
allImplement strict input validation and sanitization for all HTTP parameters before processing.
# Example PHP input sanitization
$clean_input = filter_var($_GET['param'], FILTER_SANITIZE_STRING);
Web Application Firewall
allDeploy WAF with SQL injection rules to block malicious requests.
# ModSecurity rule example
SecRule ARGS "@detectSQLi" "id:1000,phase:2,deny"
🧯 If You Can't Patch
- Isolate phpGACL system behind firewall with strict network access controls
- Implement database user with minimal privileges and enable query logging
🔍 How to Verify
Check if Vulnerable:
Check phpGACL version in configuration files or admin interface. Version 3.3.7 is vulnerable.Check Version:
grep -r 'version' /path/to/phpgacl/ | grep -i '3.3.7'Verify Fix Applied:
Confirm version is 3.3.8 or later and test SQL injection attempts are properly rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in application logs
- Multiple failed login attempts with SQL-like patterns
- Unexpected database queries from web application
Network Indicators:
- HTTP requests containing SQL keywords (SELECT, UNION, etc.)
- Unusual traffic patterns to phpGACL endpoints
SIEM Query:
source="web_logs" AND ("SELECT" OR "UNION" OR "INSERT" OR "DELETE") AND uri="/phpgacl/*"