CVE-2024-36837
📋 TL;DR
This SQL injection vulnerability in CRMEB v5.2.2 allows remote attackers to execute arbitrary SQL commands through the getProductList function. Attackers can potentially extract sensitive database information including user credentials, payment data, and business records. All CRMEB installations running version 5.2.2 are affected.
💻 Affected Systems
- CRMEB
📦 What is this software?
Crmeb by Crmeb
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data exfiltration, authentication bypass, remote code execution via database functions, and full system takeover.
Likely Case
Extraction of sensitive business data, customer information, and administrative credentials leading to data breach and potential financial loss.
If Mitigated
Limited information disclosure with no critical data exposure if proper input validation and WAF rules are in place.
🎯 Exploit Status
Public proof-of-concept available on GitHub. SQL injection is straightforward to exploit with common tools like sqlmap.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v5.2.3 or later
Vendor Advisory: https://github.com/crmeb/CRMEB
Restart Required: No
Instructions:
1. Backup current installation and database. 2. Download latest CRMEB version from official repository. 3. Replace affected files. 4. Verify parameterized queries are used in ProductController.php. 5. Test application functionality.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to sanitize user inputs before processing in getProductList function
Modify ProductController.php to add input filtering for all parameters
WAF Rule Implementation
allDeploy web application firewall rules to block SQL injection patterns
Add WAF rules to detect and block SQL injection attempts to /product/list endpoint
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries in ProductController.php
- Deploy web application firewall with SQL injection detection rules
🔍 How to Verify
Check if Vulnerable:
Check if running CRMEB v5.2.2 and test /product/list endpoint with SQL injection payloadsCheck Version:
Check CRMEB version in admin panel or examine version files in installation directoryVerify Fix Applied:
Verify ProductController.php uses parameterized queries and test with SQL injection payloads returns no data📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts after product list access
- Long parameter values in web server logs for /product/list
Network Indicators:
- SQL keywords in HTTP GET parameters
- Unusual database connection patterns from web server
SIEM Query:
source="web_server" AND (url="/product/list" AND (param="*SELECT*" OR param="*UNION*" OR param="*OR*"))