CVE-2022-31890
📋 TL;DR
This CVE describes a SQL injection vulnerability in osTicket-plugins that allows attackers to execute arbitrary SQL commands via the order parameter in the getOrder function. It affects osTicket installations with vulnerable plugins before commit a7842d494889fd5533d13deb3c6a7789768795ae. Attackers can potentially access, modify, or delete database content.
💻 Affected Systems
- osTicket osTicket-plugins
📦 What is this software?
Audit Log by Enhancesoft
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining
Likely Case
Unauthorized data access, privilege escalation, or data manipulation in the osTicket database
If Mitigated
Limited impact with proper input validation, parameterized queries, and database permissions
🎯 Exploit Status
SQL injection via order parameter is a well-understood attack vector with many existing tools
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit a7842d494889fd5533d13deb3c6a7789768795ae or later
Vendor Advisory: https://github.com/osTicket/osTicket-plugins/commit/0b59afbd2d4ccd0522552198a9aaf1ec05b5071e
Restart Required: No
Instructions:
1. Update osTicket-plugins to commit a7842d494889fd5533d13deb3c6a7789768795ae or later
2. Verify the audit/class.audit.php file contains proper input validation
3. No service restart required
🔧 Temporary Workarounds
Disable audit plugin
linuxTemporarily disable the vulnerable audit plugin to prevent exploitation
mv /path/to/osticket/include/plugins/audit /path/to/osticket/include/plugins/audit.disabled
Web Application Firewall rule
allBlock SQL injection patterns in the order parameter
ModSecurity rule: SecRule ARGS:order "@detectSQLi" "id:1001,phase:2,deny,status:403"
🧯 If You Can't Patch
- Implement strict input validation for all order parameters in custom code
- Apply database-level controls: restrict user permissions, enable query logging
🔍 How to Verify
Check if Vulnerable:
Check if audit/class.audit.php contains vulnerable getOrder function without proper input validation for order parameterCheck Version:
cd /path/to/osticket/include/plugins && git log --oneline -1Verify Fix Applied:
Verify commit hash includes a7842d494889fd5533d13deb3c6a7789768795ae or later in git log📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by order parameter manipulation
- Long or malformed order parameter values in web logs
Network Indicators:
- HTTP requests with SQL injection patterns in order parameter
- Unusual database connection patterns from web server
SIEM Query:
source="web_logs" AND (order=* OR order LIKE "%SELECT%")🔗 References
- https://checkmarx.com/blog/securing-open-source-solutions-a-study-of-osticket-vulnerabilities/
- https://github.com/osTicket/osTicket-plugins/commit/0b59afbd2d4ccd0522552198a9aaf1ec05b5071e
- https://checkmarx.com/blog/securing-open-source-solutions-a-study-of-osticket-vulnerabilities/
- https://github.com/osTicket/osTicket-plugins/commit/0b59afbd2d4ccd0522552198a9aaf1ec05b5071e
