CVE-2020-23150 – This SQL injection vulnerability in rConfig 3.9... (How to Fix)

Q: What is the severity of CVE-2020-23150?

CVE-2020-23150 has a CVSS score of 7.5 (HIGH). This SQL injection vulnerability in rConfig 3.9.5 allows attackers to execute arbitrary SQL commands via crafted GET requests to the ajaxDbInstall.php endpoint. This can lead to unauthorized access to sensitive database information including credentials and configuration data. All systems running the vulnerable version with the installation component accessible are affected.

📋 TL;DR

This SQL injection vulnerability in rConfig 3.9.5 allows attackers to execute arbitrary SQL commands via crafted GET requests to the ajaxDbInstall.php endpoint. This can lead to unauthorized access to sensitive database information including credentials and configuration data. All systems running the vulnerable version with the installation component accessible are affected.

💻 Affected Systems

Products:

rConfig

Versions: 3.9.5 specifically

Operating Systems: All platforms running rConfig

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the installation component which should be removed after setup but often remains accessible.

📦 What is this software?

Rconfig by Rconfig

View all CVEs affecting Rconfig →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to credential theft, data exfiltration, and potential lateral movement to other systems.

🟠

Likely Case

Extraction of database credentials and configuration data, enabling further system compromise.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing exploitation.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is part of the installation component which may be exposed during setup.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this if the installation component remains accessible.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple SQL injection requiring only web access to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.9.6 or later

Vendor Advisory: https://github.com/rconfig/rconfig/releases

Restart Required: No

Instructions:

1. Upgrade to rConfig 3.9.6 or later. 2. Remove the /install/ directory if no longer needed. 3. Review and secure database credentials.

🔧 Temporary Workarounds

Remove installation directory

linux

Delete the installation component after setup to eliminate the vulnerable endpoint.

rm -rf /path/to/rconfig/www/install/

Web server access restriction

all

Block access to the vulnerable endpoint using web server configuration.

# Apache: <Location "/install/"> Require all denied </Location>
# Nginx: location /install/ { deny all; }

🧯 If You Can't Patch

Implement strict network access controls to block external access to the installation endpoint.
Monitor for SQL injection attempts and unauthorized database access patterns.

🔍 How to Verify

Check if Vulnerable:

Check if /install/lib/ajaxHandlers/ajaxDbInstall.php exists and is accessible via web.

Check Version:

grep -r 'version' /path/to/rconfig/www/install/install.php 2>/dev/null || echo 'Install directory removed'

Verify Fix Applied:

Confirm the file no longer exists or returns access denied, and verify rConfig version is 3.9.6+.

📡 Detection & Monitoring

Log Indicators:

HTTP GET requests to /install/lib/ajaxHandlers/ajaxDbInstall.php with SQL syntax in parameters
Database error logs showing unexpected queries from web application

Network Indicators:

HTTP traffic to installation endpoints post-setup
SQL injection patterns in web requests

SIEM Query:

source="web_logs" AND uri="/install/lib/ajaxHandlers/ajaxDbInstall.php" AND (method="GET" OR params CONTAINS "SELECT" OR params CONTAINS "UNION")

📊 Metadata

CVE ID: CVE-2020-23150

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

Published: August 9, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/rconfig/rconfig/blob/7ef8bd8d606bc10835e1b8f6f72a2048094816d3/www/install/lib/ajaxHandlers/ajaxDbInstall.php#L97 Exploit,Third Party Advisory
https://github.com/rconfig/rconfig/blob/7ef8bd8d606bc10835e1b8f6f72a2048094816d3/www/install/lib/ajaxHandlers/ajaxDbInstall.php#L97 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-23150, you might also want to check these: