CVE-2024-28303
📋 TL;DR
CVE-2024-28303 is a critical SQL injection vulnerability in Open Source Medicine Ordering System v1.0 that allows attackers to execute arbitrary SQL commands via the date parameter in the admin reports page. This affects all deployments of version 1.0, potentially compromising the entire database including sensitive medical and patient data.
💻 Affected Systems
- Open Source Medicine Ordering System
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data manipulation, authentication bypass, and potential remote code execution on the underlying server.
Likely Case
Unauthorized access to sensitive medical records, patient data exfiltration, and potential manipulation of medication orders.
If Mitigated
Limited impact with proper input validation, parameterized queries, and network segmentation in place.
🎯 Exploit Status
Public exploit scripts are available on GitHub. Exploitation requires no authentication and uses simple SQL injection techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Consider migrating to a maintained alternative or implementing custom fixes with parameterized queries.
🔧 Temporary Workarounds
Input Validation and Sanitization
allAdd server-side validation to the date parameter to only accept valid date formats
Implement regex validation: /^\d{4}-\d{2}-\d{2}$/ for YYYY-MM-DD format
WAF Rule Implementation
allDeploy web application firewall rules to block SQL injection patterns
ModSecurity rule: SecRule ARGS:date "@detectSQLi" "id:1001,phase:2,deny"
🧯 If You Can't Patch
- Network segmentation: Isolate the system from internet access and restrict to necessary internal networks only
- Database hardening: Implement least privilege database accounts, enable logging, and regularly audit database access
🔍 How to Verify
Check if Vulnerable:
Test the /admin/reports/index.php endpoint with SQL injection payloads in the date parameter (e.g., date=2024-01-01' OR '1'='1)Check Version:
Check the system's version file or configuration, typically in config.php or similar filesVerify Fix Applied:
Verify that SQL injection payloads no longer execute and return error messages or are properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in application logs
- Multiple failed login attempts followed by reports access
- Suspicious date parameter values containing SQL keywords
Network Indicators:
- HTTP requests to /admin/reports/index.php with SQL injection patterns in parameters
- Unusual database query patterns from the application server
SIEM Query:
source="web_logs" AND uri="/admin/reports/index.php" AND (param="date" AND value MATCHES "'.*OR.*|'.*AND.*|'.*UNION.*")🔗 References
- https://github.com/onurkarasalihoglu/vulnerability-disclosures/blob/main/omos-sql-injection.md
- https://github.com/onurkarasalihoglu/vulnerability-disclosures/blob/main/omos_sqli_exploit.py
- https://github.com/onurkarasalihoglu/vulnerability-disclosures/blob/main/omos-sql-injection.md
- https://github.com/onurkarasalihoglu/vulnerability-disclosures/blob/main/omos_sqli_exploit.py
