CVE-2023-24774
📋 TL;DR
Funadmin v3.2.0 contains a SQL injection vulnerability in the selectFields parameter at controller/auth/Auth.php. This allows attackers to execute arbitrary SQL commands, potentially compromising the database. All systems running Funadmin v3.2.0 are affected.
💻 Affected Systems
- Funadmin
📦 What is this software?
Funadmin by Funadmin
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data manipulation, authentication bypass, and potential remote code execution via database functions.
Likely Case
Database information disclosure, authentication bypass, and privilege escalation.
If Mitigated
Limited impact with proper input validation and parameterized queries in place.
🎯 Exploit Status
SQL injection vulnerabilities are commonly weaponized. The GitHub issue shows proof of concept exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.2.1 or later
Vendor Advisory: https://github.com/funadmin/funadmin/issues/12
Restart Required: Yes
Instructions:
1. Backup your database and application files. 2. Download the latest version from the official repository. 3. Replace affected files with patched versions. 4. Restart the web server. 5. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to reject malicious SQL characters in the selectFields parameter
Modify controller/auth/Auth.php to sanitize selectFields input
Web Application Firewall
allDeploy WAF rules to block SQL injection patterns
Add SQL injection detection rules to your WAF configuration
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries in the affected code
- Restrict database user permissions to minimum required privileges
🔍 How to Verify
Check if Vulnerable:
Test the /controller/auth/Auth.php endpoint with SQL injection payloads in selectFields parameterCheck Version:
Check Funadmin version in configuration files or admin panelVerify Fix Applied:
Test the same endpoint with SQL injection payloads and verify they are rejected or sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed authentication attempts with SQL patterns
- Requests to /controller/auth/Auth.php with suspicious parameters
Network Indicators:
- HTTP requests containing SQL keywords in selectFields parameter
- Unusual database connection patterns
SIEM Query:
source="web_logs" AND uri="/controller/auth/Auth.php" AND (param="selectFields" AND value CONTAINS "UNION" OR value CONTAINS "SELECT" OR value CONTAINS "--" OR value CONTAINS "')"