CVE-2021-41765
📋 TL;DR
This SQL injection vulnerability in ResourceSpace allows unauthenticated attackers to execute arbitrary SQL commands, potentially exposing the entire database including user session cookies. Attackers can then hijack admin sessions to execute arbitrary code on the server. All ResourceSpace 9.5 and 9.6 installations before revision 18274 are affected.
💻 Affected Systems
- ResourceSpace
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to admin session hijacking, arbitrary code execution on the server, and full system takeover.
Likely Case
Database exfiltration including user credentials and session cookies, leading to unauthorized access and potential privilege escalation.
If Mitigated
Limited impact if proper input validation and WAF rules are in place, though SQL injection attempts may still be logged.
🎯 Exploit Status
Exploitation is straightforward via the k parameter in the vulnerable PHP file.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Revision 18274 or later
Vendor Advisory: http://svn.resourcespace.com/svn/rs/releases/9.6/pages/edit_fields/9_ajax/add_keyword.php
Restart Required: No
Instructions:
1. Update ResourceSpace to revision 18274 or later. 2. Apply the patch from the vendor's SVN repository. 3. Verify the fix by checking the file's revision number.
🔧 Temporary Workarounds
Block access to vulnerable endpoint
allRestrict access to the vulnerable PHP file via web server configuration or firewall rules.
# Apache: <LocationMatch "^/pages/edit_fields/9_ajax/add_keyword\.php$"> Require all denied </LocationMatch>
# Nginx: location ~ ^/pages/edit_fields/9_ajax/add_keyword\.php$ { deny all; }
Implement WAF rules
allDeploy web application firewall rules to block SQL injection attempts targeting the k parameter.
🧯 If You Can't Patch
- Isolate the ResourceSpace instance from the internet and restrict internal access.
- Implement strict input validation and parameterized queries in custom code if modifying the vulnerable file.
🔍 How to Verify
Check if Vulnerable:
Check if the file /pages/edit_fields/9_ajax/add_keyword.php exists and its revision is below 18274.Check Version:
svn info /path/to/resourcespace/pages/edit_fields/9_ajax/add_keyword.php | grep RevisionVerify Fix Applied:
Verify the file revision is 18274 or higher and test for SQL injection via the k parameter.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Access attempts to add_keyword.php with suspicious k parameter values
Network Indicators:
- HTTP requests to /pages/edit_fields/9_ajax/add_keyword.php with SQL injection patterns in parameters
SIEM Query:
source="web_access.log" AND uri="/pages/edit_fields/9_ajax/add_keyword.php" AND (param="k" AND value MATCHES "(?i)(union|select|insert|delete|update|drop|exec|--|#)")🔗 References
- http://svn.resourcespace.com/svn/rs/releases/9.6/pages/edit_fields/9_ajax/add_keyword.php
- https://www.horizon3.ai/multiple-vulnerabilities-in-resourcespace/
- http://svn.resourcespace.com/svn/rs/releases/9.6/pages/edit_fields/9_ajax/add_keyword.php
- https://www.horizon3.ai/multiple-vulnerabilities-in-resourcespace/
