CVE-2020-13591
📋 TL;DR
This SQL injection vulnerability in Rukovoditel Project Management App allows authenticated attackers to execute arbitrary SQL commands through the access_rules/rules_form page. Attackers with administrator credentials or via CSRF can exploit this to access or manipulate database content. Organizations using Rukovoditel 2.7.2 are affected.
💻 Affected Systems
- Rukovoditel Project Management App
📦 What is this software?
Rukovoditel by Rukovoditel
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution through database functions.
Likely Case
Unauthorized data access, privilege escalation, and potential data exfiltration from the project management database.
If Mitigated
Limited impact with proper input validation, parameterized queries, and network segmentation preventing database access.
🎯 Exploit Status
Exploitation requires authentication but CSRF makes this easier. SQL injection is well-understood with many automated tools available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.3 or later
Vendor Advisory: https://www.rukovoditel.net/
Restart Required: No
Instructions:
1. Backup your Rukovoditel installation and database. 2. Download latest version from official site. 3. Replace affected files. 4. Verify functionality. 5. Test access_rules/rules_form page.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to filter SQL injection patterns in access_rules/rules_form endpoint
Modify PHP files to sanitize user input using prepared statements
WAF Rule
allImplement web application firewall rules to block SQL injection patterns
Add WAF rule: deny requests containing SQL keywords to /access_rules/rules_form
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Rukovoditel from critical databases
- Enable detailed SQL query logging and monitor for injection patterns
🔍 How to Verify
Check if Vulnerable:
Test access_rules/rules_form page with SQL injection payloads like ' OR '1'='1Check Version:
Check Rukovoditel version in admin panel or config filesVerify Fix Applied:
Attempt SQL injection on patched version and verify error-free responses📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by access_rules access
- CSRF tokens missing in access_rules requests
Network Indicators:
- HTTP POST requests to /access_rules/rules_form with SQL keywords
- Unusual database connection patterns from web server
SIEM Query:
source="web_logs" AND uri="/access_rules/rules_form" AND (request_body CONTAINS "UNION" OR request_body CONTAINS "SELECT" OR request_body CONTAINS "INSERT")