qdPM 9.1 SQL Injection Vulnerability (CVE-2018-25208)
qdPM version 9.1 is vulnerable to SQL injection, allowing unauthenticated attackers to extract sensitive database information by injecting malicious SQL code into the filter_by parameters of the timeReport endpoint.
qdPM 9.1 is susceptible to an SQL injection vulnerability (CVE-2018-25208) that enables unauthenticated attackers to extract database information. This vulnerability is located in the timeReport endpoint and is triggered by manipulating the filter_by parameters. By sending specially crafted POST requests containing malicious SQL code within the filter_by[CommentCreatedFrom] and filter_by[CommentCreatedTo] parameters, attackers can bypass authentication and execute arbitrary SQL queries. Successful exploitation leads to the unauthorized extraction of sensitive data stored within the qdPM database. This vulnerability poses a significant risk to organizations using qdPM 9.1, potentially exposing confidential project management data.
Attack Chain
- The attacker identifies a qdPM 9.1 instance exposed to the internet.
- The attacker crafts a malicious POST request targeting the
/timeReportendpoint. - The attacker injects SQL code into the
filter_by[CommentCreatedFrom]andfilter_by[CommentCreatedTo]parameters within the POST request. The injected SQL code is designed to extract sensitive data. - The attacker sends the malicious POST request to the vulnerable qdPM instance.
- The qdPM application fails to properly sanitize the input provided in the
filter_byparameters. - The injected SQL code is executed against the qdPM database.
- The database returns the results of the injected SQL query to the application.
- The attacker receives the extracted data in the HTTP response, potentially including usernames, passwords, project details, and other sensitive information.
Impact
Successful exploitation of this SQL injection vulnerability allows unauthenticated attackers to extract sensitive information from the qdPM database. This can include usernames, passwords, project details, customer data, and financial information. The impact can range from data breaches and financial losses to reputational damage and legal liabilities. Due to the unauthenticated nature of the vulnerability, all qdPM 9.1 installations exposed to the internet are at risk.
Recommendation
- Apply the necessary patches or upgrade to a secure version of qdPM to remediate CVE-2018-25208.
- Implement input validation and sanitization on all user-supplied data, especially within the
filter_byparameters of thetimeReportendpoint, to prevent SQL injection attacks. - Deploy the provided Sigma rule to detect malicious POST requests with SQL injection attempts targeting the
timeReportendpoint in your web server logs. - Monitor web server logs for suspicious activity, such as unusual POST requests to
/timeReportwith potentially malicious SQL code in thefilter_byparameters.
Detection coverage 2
Detect qdPM SQL Injection Attempt via timeReport Endpoint
highDetects potential SQL injection attempts targeting the qdPM timeReport endpoint through the filter_by parameters.
Detect qdPM SQL Injection Attempt - Generic SQLi Keywords
mediumDetects common SQL injection keywords in web requests potentially targeting qdPM.
Detection queries are available on the platform. Get full rules →