Attack Chain

1. An unauthenticated attacker sends a crafted HTTP request to the login endpoint of eDirectory.
2. The attacker injects SQL code into the key parameter within the request, using a UNION-based SQL injection technique.
3. The eDirectory server improperly processes the SQL injection, allowing the attacker to bypass authentication and gain administrator privileges.
4. The attacker, now authenticated as an administrator, sends a request to the language_file.php script.
5. The attacker exploits a file disclosure vulnerability in the language_file.php script by manipulating input parameters.
6. The server, due to the vulnerability, reads the arbitrary PHP file specified by the attacker.
7. The server returns the contents of the requested PHP file to the attacker.
8. The attacker analyzes the disclosed PHP file, potentially revealing sensitive information such as database credentials or configuration details.

Impact

Successful exploitation of CVE-2019-25675 allows unauthenticated attackers to gain complete control over the affected eDirectory instance. This can lead to the exfiltration of sensitive data, including user credentials and configuration information. While the specific number of victims is not stated, the potential impact is high considering the widespread use of eDirectory in various sectors. A successful attack could compromise the confidentiality and integrity of critical systems and data.

Recommendation

• Apply available patches or updates for eDirectory to address the SQL injection vulnerabilities described in CVE-2019-25675.
• Deploy the Sigma rule Detect eDirectory language_file.php File Disclosure to detect attempts to exploit the file disclosure vulnerability.
• Deploy the Sigma rule Detect eDirectory SQL Injection Attempt to detect SQL injection attempts against the login endpoint.
• Monitor web server logs for suspicious requests to the login endpoint (/login) and language_file.php to identify potential exploitation attempts.