CVE-2024-55160
📋 TL;DR
GFast versions 2 through 3.2 contain a SQL injection vulnerability in the OrderBy parameter at the /system/operLog/list endpoint. This allows attackers to execute arbitrary SQL commands on the database. All GFast deployments using affected versions are vulnerable if the endpoint is accessible.
💻 Affected Systems
- GFast
📦 What is this software?
Gfast by G Fast
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data destruction, privilege escalation, and potential remote code execution via database functions.
Likely Case
Unauthorized data access, extraction of sensitive information, and potential authentication bypass.
If Mitigated
Limited impact if proper input validation and parameterized queries are implemented.
🎯 Exploit Status
Exploitation requires access to the vulnerable endpoint but SQL injection is straightforward once endpoint access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.3 or later
Vendor Advisory: http://gfast.com
Restart Required: Yes
Instructions:
1. Upgrade GFast to version 3.3 or later. 2. Restart the GFast application/service. 3. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Input Validation Filter
allImplement strict input validation for the OrderBy parameter to allow only safe characters.
WAF Rule
allDeploy a web application firewall rule to block SQL injection patterns in the OrderBy parameter.
🧯 If You Can't Patch
- Restrict network access to the /system/operLog/list endpoint using firewall rules.
- Implement application-level input validation and parameterized queries for the OrderBy parameter.
🔍 How to Verify
Check if Vulnerable:
Test the /system/operLog/list endpoint with SQL injection payloads in the OrderBy parameter (e.g., OrderBy=1' AND '1'='1).Check Version:
Check GFast version in application configuration or via version endpoint if available.Verify Fix Applied:
After patching, test the same endpoint with SQL injection payloads to confirm they are rejected or properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts from single IP
- Access to /system/operLog/list with suspicious OrderBy parameters
Network Indicators:
- HTTP requests to /system/operLog/list with SQL keywords in parameters
- Unusual database traffic patterns
SIEM Query:
source="web_logs" AND uri="/system/operLog/list" AND (OrderBy CONTAINS "'" OR OrderBy CONTAINS "--" OR OrderBy CONTAINS "SELECT" OR OrderBy CONTAINS "UNION")🔗 References
- http://gfast.com
- https://github.com/SuperDu1/CVE/issues/2
- https://github.com/tiger1103/gfast/blob/os-v3.2/api/v1/system/sys_oper_log.go#L35
- https://github.com/tiger1103/gfast/blob/os-v3.2/internal/app/system/logic/sysOperLog/sys_oper_log.go#L121
- https://github.com/tiger1103/gfast/tree/os-v3.2
- https://github.com/SuperDu1/CVE/issues/2
