CVE-2024-44644
📋 TL;DR
PHPGurukul Small CRM 3.0 contains a SQL injection vulnerability in the manage-tickets.php file through the frm_id and aremark parameters. This allows attackers to execute arbitrary SQL commands on the database. Organizations using this specific CRM version are affected.
💻 Affected Systems
- PHPGurukul Small CRM
📦 What is this software?
Small Crm by Phpgurukul
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data manipulation, or full system takeover via SQL injection to RCE chaining.
Likely Case
Unauthorized access to sensitive CRM data including customer information, ticket details, and potentially authentication credentials.
If Mitigated
Limited data exposure if database permissions are properly restricted and input validation is enforced elsewhere.
🎯 Exploit Status
Exploitation requires authentication to access the manage-tickets.php functionality. SQL injection is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://phpgurukul.com/small-crm-php/
Restart Required: No
Instructions:
No official patch available. Consider implementing input validation and parameterized queries manually or migrating to a supported CRM solution.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to sanitize frm_id and aremark parameters before processing.
Edit manage-tickets.php to add: $frm_id = filter_var($_POST['frm_id'], FILTER_SANITIZE_NUMBER_INT);
$aremark = htmlspecialchars($_POST['aremark'], ENT_QUOTES, 'UTF-8');
WAF Rule Implementation
allDeploy web application firewall rules to block SQL injection patterns targeting these parameters.
ModSecurity rule: SecRule ARGS "(frm_id|aremark)" "phase:2,deny,status:403,id:1001,msg:'SQLi attempt detected'"
Cloud WAF: Create rule to detect SQL keywords in frm_id/aremark parameters
🧯 If You Can't Patch
- Restrict access to manage-tickets.php using IP whitelisting or authentication hardening.
- Implement database-level controls: use least privilege accounts, enable query logging, and regularly audit database activity.
🔍 How to Verify
Check if Vulnerable:
Test the manage-tickets.php endpoint with SQL injection payloads in frm_id or aremark parameters (e.g., frm_id=1' OR '1'='1).Check Version:
Check the CRM version in the application interface or configuration files; look for version 3.0 indicators.Verify Fix Applied:
Re-test with SQL injection payloads after implementing fixes; successful payloads should be rejected or sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in application logs
- Multiple failed login attempts followed by access to manage-tickets.php
- Database queries with suspicious patterns from the application server
Network Indicators:
- HTTP POST requests to manage-tickets.php containing SQL keywords (UNION, SELECT, etc.) in parameters
- Abnormal traffic patterns to the CRM application
SIEM Query:
source="web_logs" AND uri="/manage-tickets.php" AND (param="frm_id" OR param="aremark") AND (content="' OR" OR content="UNION" OR content="SELECT")