CVE-2023-38891
📋 TL;DR
This SQL injection vulnerability in Vtiger CRM v7.5.0 allows authenticated remote attackers to execute arbitrary SQL commands via the getQueryColumnsList function in ReportRun.php. This can lead to privilege escalation, data theft, or complete system compromise. Only Vtiger CRM installations running version 7.5.0 are affected.
💻 Affected Systems
- Vtiger CRM
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data exfiltration, privilege escalation to admin, and potential remote code execution through database functions.
Likely Case
Privilege escalation allowing attackers to gain administrative access, modify user permissions, and access sensitive business data.
If Mitigated
Limited impact with proper input validation and parameterized queries preventing SQL injection.
🎯 Exploit Status
Exploit requires authenticated access but SQL injection is straightforward once authenticated. Public proof-of-concept code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.5.1 or later
Vendor Advisory: https://code.vtiger.com/vtiger/vtigercrm/-/blob/master/modules/Reports/ReportRun.php
Restart Required: No
Instructions:
1. Backup your Vtiger CRM database and files. 2. Upgrade to Vtiger CRM version 7.5.1 or later. 3. Apply the patch that implements parameterized queries in the getQueryColumnsList function. 4. Verify the fix by testing the reports functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement input validation to sanitize user inputs before processing in the Reports module.
Modify ReportRun.php to add input validation for all user-controlled parameters
Temporary Access Restriction
allRestrict access to the Reports module for non-admin users until patched.
Update user permissions to remove Reports module access for standard users
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block SQL injection patterns targeting the Reports module.
- Disable the Reports module entirely if not business-critical until patching is possible.
🔍 How to Verify
Check if Vulnerable:
Check if running Vtiger CRM version 7.5.0 and examine ReportRun.php line 395 for lack of parameterized queries.Check Version:
Check Vtiger CRM admin panel or examine version.php file in the installation directory.Verify Fix Applied:
Verify version is 7.5.1 or later and check that ReportRun.php uses prepared statements with parameter binding.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs from Reports module
- Multiple failed login attempts followed by Reports module access
Network Indicators:
- SQL injection patterns in HTTP POST requests to Reports endpoints
SIEM Query:
source="web_server" AND (uri="/modules/Reports/*" AND (method="POST" OR method="GET") AND (query CONTAINS "UNION" OR query CONTAINS "SELECT" OR query CONTAINS "INSERT"))