CVE-2021-46444 – CVE-2021-46444 is a SQL injection vulnerability... (How to Fix)

Q: What is the severity of CVE-2021-46444?

CVE-2021-46444 has a CVSS score of 9.8 (CRITICAL). CVE-2021-46444 is a SQL injection vulnerability in H.H.G Multistore's admin interface that allows attackers to execute arbitrary SQL commands. This affects all installations of H.H.G Multistore v5.1.0 and below. Attackers can potentially access, modify, or delete database content through the vulnerable /admin/admin.php endpoint.

📋 TL;DR

CVE-2021-46444 is a SQL injection vulnerability in H.H.G Multistore's admin interface that allows attackers to execute arbitrary SQL commands. This affects all installations of H.H.G Multistore v5.1.0 and below. Attackers can potentially access, modify, or delete database content through the vulnerable /admin/admin.php endpoint.

💻 Affected Systems

Products:

H.H.G Multistore

Versions: v5.1.0 and all earlier versions

Operating Systems: Any OS running PHP and MySQL/MariaDB

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all default installations with the admin interface enabled. Requires PHP and database backend.

📦 What is this software?

Multistore by Hhg Multistore

View all CVEs affecting Multistore →

Multistore by Hhg Multistore

View all CVEs affecting Multistore →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, authentication bypass, and potential remote code execution through database functions.

🟠

Likely Case

Unauthorized access to sensitive data including user credentials, payment information, and administrative data, potentially leading to full system compromise.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and network segmentation preventing database access.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is part of the admin interface which is typically internet-facing for e-commerce platforms.

🏢 Internal Only: MEDIUM - Even internal-only deployments are at risk from insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin access or stolen credentials. The PoC demonstrates straightforward SQL injection via the agID parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v5.1.1 or later

Vendor Advisory: https://www.hhg-multistore.com/

Restart Required: No

Instructions:

1. Backup database and application files. 2. Download latest version from vendor website. 3. Replace affected files. 4. Test functionality. 5. Monitor for issues.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize the agID parameter before processing

Modify /admin/admin.php to add: $agID = intval($_GET['agID']);

WAF Rule

all

Implement web application firewall rules to block SQL injection patterns

Add WAF rule: Detect and block SQL keywords in agID parameter

🧯 If You Can't Patch

Restrict access to /admin/admin.php endpoint using IP whitelisting or authentication
Implement database user with minimal privileges and enable query logging

🔍 How to Verify

Check if Vulnerable:

Test the endpoint with SQL injection payload: /admin/admin.php?module=admin_group_edit&agID=1' OR '1'='1

Check Version:

Check version in application files or admin dashboard

Verify Fix Applied:

Verify the same SQL injection payload no longer works and returns proper error handling

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts to admin interface
Unexpected parameter values in web server logs

Network Indicators:

SQL keywords in HTTP GET parameters
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="/admin/admin.php" AND (param="agID" AND value MATCH "[';]|OR|UNION|SELECT")

📊 Metadata

CVE ID: CVE-2021-46444

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: January 28, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/blockomat2100/PoCs/blob/main/hhg_multistore/exploit_hhg_multistore.md Exploit,Third Party Advisory
https://www.hhg-multistore.com/ Product
https://github.com/blockomat2100/PoCs/blob/main/hhg_multistore/exploit_hhg_multistore.md Exploit,Third Party Advisory
https://www.hhg-multistore.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46444, you might also want to check these: