CVE-2021-44567
📋 TL;DR
An unauthenticated SQL injection vulnerability in RosarioSIS allows attackers to execute arbitrary SQL commands via the votes parameter in PortalPollsNotes.fnc.php. This affects all RosarioSIS installations before version 7.6.1, potentially compromising the entire database. Attackers can exploit this without any authentication.
💻 Affected Systems
- RosarioSIS
📦 What is this software?
Rosariosis by Rosariosis
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution via database functions.
Likely Case
Data exfiltration, unauthorized data modification, and potential authentication bypass leading to administrative access.
If Mitigated
Limited impact with proper input validation, parameterized queries, and network segmentation in place.
🎯 Exploit Status
SQL injection via GET/POST parameter requires minimal technical skill. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.6.1
Vendor Advisory: https://gitlab.com/francoisjacquet/rosariosis/-/blob/mobile/CHANGES.md#changes-in-761
Restart Required: No
Instructions:
1. Backup your database and application files. 2. Download RosarioSIS 7.6.1 or later from the official repository. 3. Replace the vulnerable file ProgramFunctions/PortalPollsNotes.fnc.php with the patched version. 4. Verify the fix by checking the file contains proper input validation.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to sanitize the votes parameter before processing.
# Add validation in PortalPollsNotes.fnc.php
# Ensure votes parameter is numeric and within expected range
if (!is_numeric($_REQUEST['votes']) || $_REQUEST['votes'] < 0) {
die('Invalid input');
}
Web Application Firewall Rule
linuxBlock SQL injection patterns targeting the votes parameter.
# Example ModSecurity rule
SecRule ARGS:votes "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQL Injection Attempt'"
🧯 If You Can't Patch
- Disable or restrict access to the portal polls functionality entirely.
- Implement network-level controls to limit access to the vulnerable endpoint to trusted IPs only.
🔍 How to Verify
Check if Vulnerable:
Check if RosarioSIS version is below 7.6.1. Examine ProgramFunctions/PortalPollsNotes.fnc.php for lack of input validation on the votes parameter.Check Version:
grep 'ROSARIO_VERSION' includes/Config.inc.phpVerify Fix Applied:
Verify version is 7.6.1 or higher. Check that PortalPollsNotes.fnc.php includes proper input validation and parameterized queries for the votes parameter.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts following SQL injection patterns
- Requests to PortalPollsNotes.fnc.php with malformed votes parameter
Network Indicators:
- HTTP requests containing SQL keywords (UNION, SELECT, etc.) in votes parameter
- Unusual traffic patterns to the vulnerable endpoint
SIEM Query:
source="web_logs" AND uri="*PortalPollsNotes.fnc.php*" AND (query="*votes=*UNION*" OR query="*votes=*SELECT*")🔗 References
- https://gitlab.com/francoisjacquet/rosariosis/-/blob/mobile/CHANGES.md#changes-in-761
- https://gitlab.com/francoisjacquet/rosariosis/-/commit/519af055a4fdc1362657d75bca76f9c95a081eaa
- https://gitlab.com/francoisjacquet/rosariosis/-/commit/e001430aa9fb53d2502fb6f036f6c51c578d2016
- https://gitlab.com/francoisjacquet/rosariosis/-/issues/308
- https://gitlab.com/francoisjacquet/rosariosis/-/blob/mobile/CHANGES.md#changes-in-761
- https://gitlab.com/francoisjacquet/rosariosis/-/commit/519af055a4fdc1362657d75bca76f9c95a081eaa
- https://gitlab.com/francoisjacquet/rosariosis/-/commit/e001430aa9fb53d2502fb6f036f6c51c578d2016
- https://gitlab.com/francoisjacquet/rosariosis/-/issues/308
