CVE-2024-13979
π TL;DR
This is a critical SQL injection vulnerability in the St. Joe ERP system that allows unauthenticated remote attackers to execute arbitrary SQL commands via crafted HTTP POST requests to the login endpoint. Attackers can directly manipulate the backend database, potentially leading to unauthorized data access, modification, or service disruption. Any organization using the vulnerable St. Joe ERP system is affected.
π» Affected Systems
- St. Joe ERP system (ε£δΉERPη³»η»)
π¦ What is this software?
St. Joe Erp System by St. Joe Erp System Project
β οΈ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, destruction, or ransomware deployment, potentially affecting all business operations.
Likely Case
Unauthorized access to sensitive business data, customer information, and financial records, with potential data modification or exfiltration.
If Mitigated
Limited impact if proper network segmentation, WAF rules, and input validation are in place, though risk remains until patched.
π― Exploit Status
Exploitation requires only HTTP POST requests to the login endpoint with crafted SQL injection payloads. Public proof-of-concept code is available.
π οΈ Fix & Mitigation
β Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Monitor vendor channels for updates. Consider implementing workarounds or migrating to alternative ERP solutions.
π§ Temporary Workarounds
Web Application Firewall (WAF) Rules
allDeploy WAF rules to block SQL injection patterns targeting the login endpoint
# WAF rule example: Block SQL injection patterns in POST requests to login endpoint
# ModSecurity rule: SecRule ARGS "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQL Injection Attempt'"
Network Access Control
linuxRestrict access to the ERP system to trusted IP addresses only
# Example iptables rule: iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP_RANGE -j ACCEPT
# Example iptables rule: iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP_RANGE -j ACCEPT
π§― If You Can't Patch
- Implement strict input validation and parameterized queries in the application code
- Deploy the ERP system behind a reverse proxy with SQL injection filtering
π How to Verify
Check if Vulnerable:
Test the login endpoint with SQL injection payloads (e.g., ' OR '1'='1) and monitor for unexpected database responses or error messages revealing SQL structureCheck Version:
Check ERP system documentation or interface for version information. No specific command provided by vendor.Verify Fix Applied:
Verify that SQL injection payloads no longer execute successfully and that proper input validation is implementedπ‘ Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in application logs
- Multiple failed login attempts with SQL-like patterns
- Successful logins from unexpected IP addresses
Network Indicators:
- HTTP POST requests to login endpoint containing SQL keywords (SELECT, UNION, INSERT, etc.)
- Abnormal database query patterns from application server
SIEM Query:
source="web_logs" AND (url_path="/login" OR url_path="*/login") AND (http_method="POST") AND (request_body MATCHES "(?i)(SELECT|UNION|INSERT|UPDATE|DELETE|DROP|OR|AND|'|--|#|;)")π References
- https://blog.csdn.net/qq_41904294/article/details/144240396
- https://en.fofa.info/result?qbase64=5Zyj5LmURVJQ57O757uf
- https://github.com/adysec/POC/blob/main/wpoc/%E5%9C%A3%E4%B9%94ERP/%E5%9C%A3%E4%B9%94ERP%E7%B3%BB%E7%BB%9FSingleRowQueryConvertor%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
- https://www.vulncheck.com/advisories/st-joes-erp-system-sqli
- https://blog.csdn.net/qq_41904294/article/details/144240396
- https://github.com/adysec/POC/blob/main/wpoc/%E5%9C%A3%E4%B9%94ERP/%E5%9C%A3%E4%B9%94ERP%E7%B3%BB%E7%BB%9FSingleRowQueryConvertor%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
- https://www.vulncheck.com/advisories/st-joes-erp-system-sqli
