CVE-2024-25320
📋 TL;DR
This CVE describes a SQL injection vulnerability in Tongda OA software that allows attackers to execute arbitrary SQL commands via the $AFF_ID parameter in the /affair/delete.php endpoint. Organizations using affected versions of Tongda OA are vulnerable to data theft, manipulation, or complete system compromise. The high CVSS score indicates this is a critical vulnerability requiring immediate attention.
💻 Affected Systems
- Tongda OA
📦 What is this software?
Office Anywhere by Tongda2000
Office Anywhere by Tongda2000
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data exfiltration, privilege escalation to administrative access, and potential remote code execution on the underlying server.
Likely Case
Unauthorized access to sensitive business data, manipulation of workflow records, and potential lateral movement within the network.
If Mitigated
Limited impact with proper input validation and WAF protection, though the vulnerability still exists in the codebase.
🎯 Exploit Status
Exploitation requires authentication to access the /affair/delete.php endpoint, but SQL injection payloads are straightforward. Public proof-of-concept exists in GitHub repositories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v11.10 or later
Vendor Advisory: Not publicly available in provided references
Restart Required: Yes
Instructions:
1. Backup your Tongda OA database and application files. 2. Download the latest version from official Tongda sources. 3. Follow the vendor's upgrade procedure. 4. Restart the application server. 5. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
WAF Rule Implementation
allDeploy a web application firewall rule to block SQL injection patterns in the $AFF_ID parameter
WAF-specific configuration commands vary by vendor
Input Validation Filter
allImplement server-side input validation to restrict $AFF_ID parameter to expected numeric values only
Modify /affair/delete.php to validate $AFF_ID as integer: if(!is_numeric($_GET['AFF_ID'])) { die('Invalid input'); }
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Tongda OA servers from sensitive systems
- Deploy database monitoring to detect unusual SQL queries and implement principle of least privilege for database accounts
🔍 How to Verify
Check if Vulnerable:
Test the /affair/delete.php endpoint with SQL injection payloads in the AFF_ID parameter (e.g., AFF_ID=1' OR '1'='1). Monitor for database errors or unexpected behavior.Check Version:
Check Tongda OA version through the web interface admin panel or by examining application files/version.txtVerify Fix Applied:
Attempt the same SQL injection tests after patching. Successful fix should return proper error handling without executing SQL commands.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by access to /affair/delete.php
- HTTP requests with SQL keywords in AFF_ID parameter
Network Indicators:
- Unusual outbound database connections from web server
- Traffic patterns indicating data exfiltration
SIEM Query:
source="web_logs" AND uri="/affair/delete.php" AND (query_string CONTAINS "UNION" OR query_string CONTAINS "SELECT" OR query_string CONTAINS "OR '1'='1'")