CVE-2024-10618
📋 TL;DR
This critical SQL injection vulnerability in Tongda OA 2017 allows remote attackers to execute arbitrary SQL commands via the repid parameter in /pda/reportshop/record_detail.php. Organizations using affected versions of Tongda OA are at risk of data theft, manipulation, or system compromise. The vulnerability requires no authentication and has a public exploit available.
💻 Affected Systems
- Tongda OA
📦 What is this software?
Office Anywhere by Tongda2000
Office Anywhere by Tongda2000
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data exfiltration, privilege escalation, and potential remote code execution on the underlying server.
Likely Case
Unauthorized access to sensitive business data stored in the database, including employee records, financial information, and internal documents.
If Mitigated
Limited impact with proper input validation and database permissions restricting damage to non-critical data.
🎯 Exploit Status
Exploit code is publicly available on GitHub. The vulnerability requires no authentication and has simple exploitation vectors.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
1. Check Tongda official website for security updates
2. Apply any available patches for version 11.10 or later
3. Verify the fix by testing the vulnerable endpoint
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rules
allImplement WAF rules to block SQL injection attempts targeting the vulnerable endpoint
# Example ModSecurity rule:
SecRule ARGS:repid "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQL Injection attempt detected'"
# Example naxsi rule:
MainRule "str:repid" "msg:sql injection" "mz:ARGS" "s:$SQL:4" id:1001;
Access Restriction
allBlock external access to the vulnerable /pda/reportshop/ directory
# Apache:
<Location "/pda/reportshop/">
Order deny,allow
Deny from all
Allow from 192.168.0.0/16
</Location>
# Nginx:
location /pda/reportshop/ {
deny all;
allow 192.168.0.0/16;
}
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Tongda OA systems from critical infrastructure
- Deploy database activity monitoring to detect and alert on suspicious SQL queries
🔍 How to Verify
Check if Vulnerable:
Test the endpoint with SQL injection payloads: curl -X GET "http://<target>/pda/reportshop/record_detail.php?repid=1'"Check Version:
Check Tongda OA version in admin panel or configuration filesVerify Fix Applied:
Attempt SQL injection after applying controls and verify error messages or database responses are sanitized📡 Detection & Monitoring
Log Indicators:
- SQL syntax errors in web server logs
- Unusual database query patterns from web application
- Multiple failed login attempts following SQL injection attempts
Network Indicators:
- HTTP requests to /pda/reportshop/record_detail.php with SQL keywords in parameters
- Unusual outbound database connections from web server
SIEM Query:
source="web_logs" AND uri="/pda/reportshop/record_detail.php" AND (query="*UNION*" OR query="*SELECT*" OR query="*INSERT*" OR query="*UPDATE*" OR query="*DELETE*")