CVE-2024-35409
📋 TL;DR
CVE-2024-35409 is a critical SQL injection vulnerability in WeBid 1.1.2 that allows attackers to execute arbitrary SQL commands via the admin/tax.php endpoint. This affects all WeBid 1.1.2 installations with the vulnerable file present. Attackers could potentially access, modify, or delete database contents.
💻 Affected Systems
- WeBid
📦 What is this software?
Webid by Webidsupport
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data destruction, authentication bypass, and potential remote code execution via database functions.
Likely Case
Unauthorized data access, privilege escalation, and potential administrative account takeover.
If Mitigated
Limited impact if proper input validation, parameterized queries, and web application firewalls are in place.
🎯 Exploit Status
Exploitation requires access to the admin interface. The vulnerability is in a specific PHP file with demonstrated SQL injection vectors.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
1. Download the vulnerable file (admin/tax.php) 2. Implement parameterized queries or proper input validation 3. Replace the vulnerable file with the patched version 4. Test functionality
🔧 Temporary Workarounds
File Access Restriction
allRestrict access to the vulnerable admin/tax.php file using web server configuration
# Apache: Add to .htaccess
<Files "tax.php">
Order Deny,Allow
Deny from all
</Files>
# Nginx: Add to server block
location ~ /admin/tax\.php$ {
deny all;
return 403;
}
Web Application Firewall
allImplement WAF rules to block SQL injection patterns targeting the tax.php endpoint
# ModSecurity example rule
SecRule REQUEST_URI "@contains admin/tax.php" \
"id:1001,phase:2,deny,status:403,msg:'SQLi attempt blocked'" \
"chain"
SecRule ARGS "@detectSQLi"
🧯 If You Can't Patch
- Implement network segmentation to isolate the WeBid server from sensitive systems
- Enable detailed logging and monitoring for suspicious database queries and admin panel access
🔍 How to Verify
Check if Vulnerable:
Check if admin/tax.php exists in your WeBid installation and review the code for lack of parameterized queries in SQL statements.Check Version:
Check the version.txt file in WeBid root directory or examine the installation files for version indicators.Verify Fix Applied:
Test the admin/tax.php functionality with SQL injection payloads to ensure they are properly sanitized or blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts to admin panel followed by tax.php access
- SQL syntax errors in web server logs for tax.php
Network Indicators:
- HTTP POST requests to /admin/tax.php containing SQL keywords (UNION, SELECT, INSERT, etc.)
- Unusual database connection patterns from web server
SIEM Query:
source="web_server" AND uri="/admin/tax.php" AND (request_body="*UNION*" OR request_body="*SELECT*" OR request_body="*INSERT*")