CVE-2024-2590
📋 TL;DR
This SQL injection vulnerability in AMSS++ version 4.31 allows remote attackers to execute arbitrary SQL queries through the 'sd_index' parameter in the /amssplus/modules/mail/main/select_send.php endpoint. This could lead to complete database compromise, exposing all stored information. Organizations running vulnerable AMSS++ installations are affected.
💻 Affected Systems
- AMSS++
📦 What is this software?
Amss\+\+ by Amss\+\+ Project
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including sensitive user data, credentials, and system information leading to data breach, privilege escalation, and potential system takeover.
Likely Case
Data exfiltration from the database including user information, email content, and potentially authentication credentials.
If Mitigated
Limited impact with proper input validation and database permissions restricting query execution.
🎯 Exploit Status
SQL injection vulnerabilities are commonly exploited and tools like sqlmap can automate exploitation. No authentication is required to access the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for patched version
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-amssplus-amss
Restart Required: Yes
Instructions:
1. Review the vendor advisory at the provided URL. 2. Download and apply the latest patched version of AMSS++. 3. Restart the AMSS++ service. 4. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy a WAF with SQL injection protection rules to block malicious requests to the vulnerable endpoint.
Input Validation Filter
allImplement server-side input validation to sanitize the 'sd_index' parameter before processing.
🧯 If You Can't Patch
- Block external access to /amssplus/modules/mail/main/select_send.php using network firewall rules or web server configuration.
- Implement strict database user permissions to limit the impact of successful SQL injection attacks.
🔍 How to Verify
Check if Vulnerable:
Test the /amssplus/modules/mail/main/select_send.php endpoint with SQL injection payloads in the 'sd_index' parameter and observe database errors or unexpected responses.Check Version:
Check AMSS++ version in the application interface or configuration files (typically version.php or similar).Verify Fix Applied:
After patching, attempt SQL injection against the same endpoint and verify that input is properly sanitized and no database errors are returned.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in application logs
- Multiple requests to /amssplus/modules/mail/main/select_send.php with suspicious parameters
- Database query logs showing unexpected SQL statements
Network Indicators:
- HTTP requests containing SQL keywords (SELECT, UNION, etc.) in the 'sd_index' parameter
- Unusual traffic patterns to the vulnerable endpoint
SIEM Query:
source="web_server_logs" AND uri="/amssplus/modules/mail/main/select_send.php" AND (param="sd_index" AND value MATCH "'.*[Ss][Ee][Ll][Ee][Cc][Tt].*'" OR value MATCH ".*--.*")