<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>QdPM - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/qdpm/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/qdpm/feed.xml" rel="self" type="application/rss+xml"/><item><title>qdPM 9.1 SQL Injection Vulnerability (CVE-2018-25208)</title><link>https://feed.craftedsignal.io/briefs/2024-01-qdpm-sqli/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-qdpm-sqli/</guid><description>qdPM version 9.1 is vulnerable to SQL injection, allowing unauthenticated attackers to extract sensitive database information by injecting malicious SQL code into the filter_by parameters of the timeReport endpoint.</description><content:encoded><![CDATA[<p>qdPM 9.1 is susceptible to an SQL injection vulnerability (CVE-2018-25208) that enables unauthenticated attackers to extract database information. This vulnerability is located in the timeReport endpoint and is triggered by manipulating the filter_by parameters. By sending specially crafted POST requests containing malicious SQL code within the <code>filter_by[CommentCreatedFrom]</code> and <code>filter_by[CommentCreatedTo]</code> parameters, attackers can bypass authentication and execute arbitrary SQL queries. Successful exploitation leads to the unauthorized extraction of sensitive data stored within the qdPM database. This vulnerability poses a significant risk to organizations using qdPM 9.1, potentially exposing confidential project management data.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a qdPM 9.1 instance exposed to the internet.</li>
<li>The attacker crafts a malicious POST request targeting the <code>/timeReport</code> endpoint.</li>
<li>The attacker injects SQL code into the <code>filter_by[CommentCreatedFrom]</code> and <code>filter_by[CommentCreatedTo]</code> parameters within the POST request. The injected SQL code is designed to extract sensitive data.</li>
<li>The attacker sends the malicious POST request to the vulnerable qdPM instance.</li>
<li>The qdPM application fails to properly sanitize the input provided in the <code>filter_by</code> parameters.</li>
<li>The injected SQL code is executed against the qdPM database.</li>
<li>The database returns the results of the injected SQL query to the application.</li>
<li>The attacker receives the extracted data in the HTTP response, potentially including usernames, passwords, project details, and other sensitive information.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this SQL injection vulnerability allows unauthenticated attackers to extract sensitive information from the qdPM database. This can include usernames, passwords, project details, customer data, and financial information. The impact can range from data breaches and financial losses to reputational damage and legal liabilities. Due to the unauthenticated nature of the vulnerability, all qdPM 9.1 installations exposed to the internet are at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the necessary patches or upgrade to a secure version of qdPM to remediate CVE-2018-25208.</li>
<li>Implement input validation and sanitization on all user-supplied data, especially within the <code>filter_by</code> parameters of the <code>timeReport</code> endpoint, to prevent SQL injection attacks.</li>
<li>Deploy the provided Sigma rule to detect malicious POST requests with SQL injection attempts targeting the <code>timeReport</code> endpoint in your web server logs.</li>
<li>Monitor web server logs for suspicious activity, such as unusual POST requests to <code>/timeReport</code> with potentially malicious SQL code in the <code>filter_by</code> parameters.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>sqli</category><category>cve-2018-25208</category><category>qdpm</category></item></channel></rss>