CVE-2024-4992
📋 TL;DR
CVE-2024-4992 is a critical SQL injection vulnerability in SiAdmin 1.1 that allows remote attackers to execute arbitrary SQL queries via the nim parameter in /modul/mod_kuliah/aksi_kuliah.php. This could lead to complete database compromise, including theft of sensitive student and administrative data. All organizations using SiAdmin 1.1 are affected.
💻 Affected Systems
- SiAdmin
📦 What is this software?
Siadmin by Ansanwan
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise allowing data theft, data manipulation, authentication bypass, and potential server takeover via SQL injection to RCE chaining.
Likely Case
Unauthenticated attackers exfiltrating sensitive student records, grades, personal information, and administrative credentials from the database.
If Mitigated
Limited impact if proper input validation, parameterized queries, and WAF rules are implemented to block SQL injection attempts.
🎯 Exploit Status
SQL injection via GET/POST parameters is trivial to exploit with standard SQL injection tools like sqlmap. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-siadmin
Restart Required: No
Instructions:
No official patch available. Check vendor website for updates. Consider migrating to a supported alternative if SiAdmin is no longer maintained.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation for the nim parameter to only accept expected format (numeric student IDs)
Modify aksi_kuliah.php to add: if(!is_numeric($_GET['nim'])) { die('Invalid input'); }
WAF Rule Implementation
allDeploy web application firewall rules to block SQL injection patterns targeting the vulnerable endpoint
Add WAF rule: deny requests to /modul/mod_kuliah/aksi_kuliah.php containing SQL keywords in parameters
🧯 If You Can't Patch
- Immediately restrict network access to SiAdmin instance using firewall rules - allow only trusted IP addresses
- Implement database-level protections: use least privilege database accounts, enable SQL injection logging, and regular database backups
🔍 How to Verify
Check if Vulnerable:
Test the endpoint with SQL injection payload: /modul/mod_kuliah/aksi_kuliah.php?nim=1' OR '1'='1Check Version:
Check SiAdmin version in application files or admin panelVerify Fix Applied:
Attempt SQL injection tests after implementing workarounds - payloads should be rejected or sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in PHP/application logs
- Multiple requests to aksi_kuliah.php with SQL keywords in parameters
- Database queries with unexpected UNION or SELECT statements
Network Indicators:
- HTTP requests containing SQL injection patterns (UNION, SELECT, --, #, ') to the vulnerable endpoint
- Unusual database connection patterns from web server
SIEM Query:
source="web_logs" AND uri="/modul/mod_kuliah/aksi_kuliah.php" AND (query="*UNION*" OR query="*SELECT*" OR query="*' OR '*" OR query="*--*" OR query="*#*")