CVE-2024-8749
📋 TL;DR
This SQL injection vulnerability in i-doit pro version 28 allows attackers to execute arbitrary SQL queries through the ID parameter in a specific API endpoint. Successful exploitation could lead to complete database compromise, exposing all stored information. Organizations using i-doit pro version 28 are affected.
💻 Affected Systems
- i-doit pro
📦 What is this software?
I Doit by I Doit
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise allowing data theft, data manipulation, and potential privilege escalation to execute operating system commands.
Likely Case
Unauthorized access to sensitive configuration management data, including credentials, network diagrams, and asset information stored in the database.
If Mitigated
Limited impact if proper input validation and parameterized queries are implemented, restricting SQL injection attempts.
🎯 Exploit Status
SQL injection vulnerabilities typically have low exploitation complexity, especially when unauthenticated access is possible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched version
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-synetics-idoit-pro
Restart Required: Yes
Instructions:
1. Check the vendor advisory for the patched version. 2. Backup your i-doit installation and database. 3. Apply the vendor-provided patch or upgrade to the fixed version. 4. Restart the web server service (e.g., systemctl restart apache2). 5. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy a WAF with SQL injection protection rules to block malicious requests to the vulnerable endpoint.
Input Validation Filter
allImplement input validation to reject non-numeric or malformed ID parameter values at the application level.
🧯 If You Can't Patch
- Restrict network access to the i-doit web interface using firewall rules to only allow trusted IP addresses.
- Implement database-level controls such as least privilege access and regular monitoring of database queries for suspicious patterns.
🔍 How to Verify
Check if Vulnerable:
Review the file /var/www/html/src/classes/modules/api/model/cmdb/isys_api_model_cmdb_objects_by_relation.class.php for version 28 and check if input sanitization is missing for the ID parameter.Check Version:
Check i-doit version via web interface admin panel or review installation documentation for version information.Verify Fix Applied:
Test the vulnerable endpoint with SQL injection payloads (e.g., ' OR '1'='1) and verify they are rejected or properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in web server logs
- Multiple requests to the vulnerable API endpoint with suspicious parameters
- Database query logs showing unexpected SQL statements
Network Indicators:
- HTTP requests containing SQL keywords (SELECT, UNION, etc.) in the ID parameter
- Unusual traffic patterns to the specific API endpoint
SIEM Query:
source="web_server_logs" AND (uri="*isys_api_model_cmdb_objects_by_relation*" AND (param="*' OR*" OR param="*UNION*" OR param="*SELECT*"))