CVE-2024-9574
📋 TL;DR
This SQL injection vulnerability in SOPlanning versions before 1.45 allows remote attackers to execute arbitrary SQL queries through the 'by' parameter in the user_groupes.php endpoint. Attackers can potentially retrieve, modify, or delete all database information. All users running vulnerable SOPlanning versions are affected.
💻 Affected Systems
- SOPlanning
📦 What is this software?
Soplanning by Soplanning
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including sensitive user data, credentials, and planning information exfiltration, with potential for data destruction or system takeover.
Likely Case
Unauthorized access to sensitive planning data, user information, and potential privilege escalation within the application.
If Mitigated
Limited impact with proper input validation and database permissions, potentially only allowing data viewing without modification.
🎯 Exploit Status
SQL injection vulnerabilities are commonly weaponized and this appears to be a straightforward parameter injection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.45
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-soplanning
Restart Required: Yes
Instructions:
1. Backup your SOPlanning installation and database. 2. Download SOPlanning version 1.45 or later from the official source. 3. Replace the existing installation with the new version. 4. Restart the web server service.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation for the 'by' parameter to only accept expected values
Modify /soplanning/www/user_groupes.php to validate the 'by' parameter against a whitelist of allowed values
Web Application Firewall Rule
allBlock SQL injection patterns in the 'by' parameter
Add WAF rule: deny requests to /soplanning/www/user_groupes.php with SQL keywords in 'by' parameter
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SOPlanning from other systems
- Enable detailed logging and monitoring for SQL injection attempts on the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Check if SOPlanning version is below 1.45 by reviewing the application version in the interface or configuration filesCheck Version:
Check the version.php file or application interface for version informationVerify Fix Applied:
Confirm SOPlanning version is 1.45 or higher and test the user_groupes.php endpoint with SQL injection payloads📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in application logs
- Multiple requests to user_groupes.php with unusual parameter values
- Database query patterns from unexpected sources
Network Indicators:
- HTTP requests to /soplanning/www/user_groupes.php containing SQL keywords in parameters
- Unusual database connection patterns from web server
SIEM Query:
source="web_logs" AND uri="/soplanning/www/user_groupes.php" AND (param="by" AND value CONTAINS "UNION" OR value CONTAINS "SELECT" OR value CONTAINS "INSERT" OR value CONTAINS "DELETE")