CVE-2023-24777
📋 TL;DR
Funadmin v3.2.0 contains a SQL injection vulnerability in the id parameter at /databases/table/list endpoint. This allows attackers to execute arbitrary SQL commands on the database. All systems running Funadmin v3.2.0 with the vulnerable endpoint accessible are affected.
💻 Affected Systems
- Funadmin
📦 What is this software?
Funadmin by Funadmin
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution via database functions.
Likely Case
Database information disclosure, data manipulation, and potential authentication bypass.
If Mitigated
Limited impact with proper input validation, parameterized queries, and database user privilege restrictions.
🎯 Exploit Status
SQL injection vulnerabilities are commonly weaponized. The GitHub issue shows proof of concept exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.2.1 or later
Vendor Advisory: https://github.com/funadmin/funadmin/issues/5
Restart Required: Yes
Instructions:
1. Backup your current installation and database. 2. Download the latest version from the official repository. 3. Replace vulnerable files with patched versions. 4. Restart the web application service. 5. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy a WAF with SQL injection protection rules to block malicious requests.
Endpoint Restriction
linuxBlock access to /databases/table/list endpoint using web server configuration.
# Apache: RewriteRule ^/databases/table/list - [F]
# Nginx: location ~ ^/databases/table/list { deny all; }
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries in the application code.
- Restrict database user privileges to minimum required permissions.
🔍 How to Verify
Check if Vulnerable:
Test the /databases/table/list endpoint with SQL injection payloads in the id parameter (e.g., id=1' OR '1'='1). Monitor database logs for unusual queries.Check Version:
Check the Funadmin version in the admin panel or review the application's version file.Verify Fix Applied:
After patching, attempt the same SQL injection tests. The application should reject malicious input or return error messages without executing SQL.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed requests to /databases/table/list
- Requests with SQL keywords in parameters
Network Indicators:
- HTTP requests to /databases/table/list with SQL injection patterns
- Unusual database connection patterns from web server
SIEM Query:
source="web_logs" AND uri="/databases/table/list" AND (param="id" AND value MATCHES "'.*OR.*|UNION.*|SELECT.*")