CVE-2021-29004 – CVE-2021-29004 is an authenticated SQL injectio... (How to Fix)

Q: What is the severity of CVE-2021-29004?

CVE-2021-29004 has a CVSS score of 8.8 (HIGH). CVE-2021-29004 is an authenticated SQL injection vulnerability in rConfig 3.9.6 that allows attackers to upload webshells to the server when MySQL's secure-file-priv option is not properly configured. This affects organizations using vulnerable rConfig installations with default or misconfigured MySQL settings. Successful exploitation requires authenticated access but can lead to complete server compromise.

📋 TL;DR

CVE-2021-29004 is an authenticated SQL injection vulnerability in rConfig 3.9.6 that allows attackers to upload webshells to the server when MySQL's secure-file-priv option is not properly configured. This affects organizations using vulnerable rConfig installations with default or misconfigured MySQL settings. Successful exploitation requires authenticated access but can lead to complete server compromise.

💻 Affected Systems

Products:

rConfig

Versions: 3.9.6 and possibly earlier versions

Operating Systems: Linux, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires MySQL with --secure-file-priv not set or misconfigured, and MySQL server must be on same host as rConfig.

📦 What is this software?

Rconfig by Rconfig

View all CVEs affecting Rconfig →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover with remote code execution, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Unauthorized file upload leading to webshell installation and persistent backdoor access to the server.

🟢

If Mitigated

SQL injection attempts blocked by input validation, with no file upload capability due to secure-file-priv restrictions.

🌐 Internet-Facing: HIGH - Internet-facing rConfig instances with authenticated users are directly exploitable.

🏢 Internal Only: MEDIUM - Requires authenticated access but internal attackers or compromised accounts can exploit.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated user access and specific MySQL configuration conditions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.9.7 or later

Vendor Advisory: http://rconfig.com

Restart Required: No

Instructions:

1. Backup current rConfig installation and database. 2. Download and install rConfig 3.9.7 or later from official source. 3. Verify installation and test functionality.

🔧 Temporary Workarounds

Secure MySQL Configuration

all

Configure MySQL's secure-file-priv option to restrict file operations

Add 'secure-file-priv = /secure/path' to my.cnf or my.ini
Restart MySQL service: sudo systemctl restart mysql

Input Validation Enhancement

all

Implement additional input validation for SQL queries in rConfig

Review and sanitize all user inputs in PHP files
Use prepared statements for database queries

🧯 If You Can't Patch

Implement strict network segmentation to isolate rConfig from critical systems
Enable detailed logging and monitoring for SQL injection attempts and file upload activities

🔍 How to Verify

Check if Vulnerable:

Check rConfig version in admin panel or via 'cat /var/www/html/rconfig/version.txt' and verify MySQL secure-file-priv setting with 'SHOW VARIABLES LIKE "secure_file_priv"'

Check Version:

cat /var/www/html/rconfig/version.txt || check admin panel version

Verify Fix Applied:

Confirm rConfig version is 3.9.7+ and test SQL injection payloads no longer work

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in MySQL logs
File upload attempts to unexpected directories
Authentication logs showing suspicious user activity

Network Indicators:

HTTP POST requests with SQL injection patterns to rConfig endpoints
Unexpected outbound connections from rConfig server

SIEM Query:

source="mysql.log" AND ("SELECT INTO OUTFILE" OR "UNION SELECT") OR source="apache.log" AND uri="/rconfig/*" AND (method="POST" AND (body="' OR" OR body="UNION"))

📊 Metadata

CVE ID: CVE-2021-29004

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: October 11, 2021

Last Updated: November 21, 2024

🔗 References

http://rconfig.com Vendor Advisory
https://github.com/mrojz/rconfig-exploit/blob/main/CVE-2021-29004-POC-req.txt Third Party Advisory
https://github.com/mrojz/rconfig-exploit/blob/main/README.md Third Party Advisory
https://rconfig.com Vendor Advisory
http://rconfig.com Vendor Advisory
https://github.com/mrojz/rconfig-exploit/blob/main/CVE-2021-29004-POC-req.txt Third Party Advisory
https://github.com/mrojz/rconfig-exploit/blob/main/README.md Third Party Advisory
https://rconfig.com Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29004, you might also want to check these: