CVE-2022-31946
📋 TL;DR
CVE-2022-31946 is a critical SQL injection vulnerability in Rescue Dispatch Management System v1.0 that allows attackers to execute arbitrary SQL commands via the delete_team function. This affects all users running the vulnerable version of this software, potentially leading to complete database compromise.
💻 Affected Systems
- Rescue Dispatch Management System
📦 What is this software?
Rescue Dispatch Management System by Rescue Dispatch Management System Project
⚠️ Risk & Real-World Impact
Worst Case
Complete database takeover, data exfiltration, privilege escalation, and potential remote code execution depending on database configuration.
Likely Case
Unauthorized data access, modification, or deletion of team records and potentially other database tables.
If Mitigated
Limited impact if proper input validation and parameterized queries are implemented.
🎯 Exploit Status
Public proof-of-concept available on GitHub. Exploitation requires simple HTTP requests with SQL injection payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: No known vendor advisory
Restart Required: No
Instructions:
No official patch available. Implement workarounds or migrate to alternative software.
🔧 Temporary Workarounds
Input Validation and Sanitization
allAdd server-side validation to sanitize all user inputs before processing SQL queries.
Modify /rdms/classes/Master.php to implement parameterized queries using prepared statements
Web Application Firewall (WAF)
allDeploy WAF rules to block SQL injection patterns targeting the vulnerable endpoint.
Add WAF rule: Block requests to /rdms/classes/Master.php?f=delete_team with SQL keywords
🧯 If You Can't Patch
- Isolate the system behind strict network segmentation and firewall rules
- Implement database-level controls: minimal privileges, query logging, and regular backups
🔍 How to Verify
Check if Vulnerable:
Test the endpoint /rdms/classes/Master.php?f=delete_team with SQL injection payloads (e.g., ' OR '1'='1) and observe database errors or unexpected behavior.Check Version:
Check the software version in the application interface or configuration files.Verify Fix Applied:
Verify that parameterized queries are implemented in Master.php and test with SQL injection payloads to confirm they're blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /rdms/classes/Master.php with SQL keywords in parameters
- Database error logs showing SQL syntax errors
Network Indicators:
- Unusual database queries originating from web server IP
- Multiple rapid requests to delete_team endpoint
SIEM Query:
source="web_logs" AND uri="/rdms/classes/Master.php" AND (query_string="*delete_team*" AND (query_string="*OR*" OR query_string="*UNION*" OR query_string="*SELECT*"))