CVE-2020-15487 in Re:Desk
Summary
by MITRE • 10/04/2020
Re:Desk 2.3 contains a blind unauthenticated SQL injection vulnerability in the getBaseCriteria() function in the protected/models/Ticket.php file. By modifying the folder GET parameter, it is possible to execute arbitrary SQL statements via a crafted URL. Unauthenticated remote command execution is possible by using this SQL injection to update certain database values, which are then executed by a bizRule eval() function in the yii/framework/web/auth/CAuthManager.php file. Resultant authorization bypass is also possible, by recovering or modifying password hashes and password reset tokens, allowing for administrative privileges to be obtained.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 11/15/2020
The CVE-2020-15487 vulnerability resides within Re:Desk 2.3, a help desk management system that suffers from a critical blind SQL injection flaw in its core ticket handling functionality. This vulnerability specifically targets the getBaseCriteria() function located in protected/models/Ticket.php, where improper input validation allows attackers to manipulate the folder GET parameter and inject malicious SQL code. The flaw represents a classic blind SQL injection vulnerability categorized under CWE-89, which occurs when application input is directly concatenated into SQL queries without proper sanitization or parameterization mechanisms. The vulnerability exists because the application fails to implement proper input filtering or prepared statement usage when processing user-supplied folder parameter values.
The exploitation chain begins with the initial SQL injection payload that can be crafted through manipulation of the folder GET parameter in the URL structure. This vulnerability enables attackers to execute arbitrary SQL commands against the underlying database without requiring authentication, making it particularly dangerous as it can be exploited by anyone with access to the web application. The attack surface expands significantly when considering that the SQL injection can be leveraged to modify database values that are subsequently processed by the yii framework's authorization system. Specifically, the bizRule eval() function in yii/framework/web/auth/CAuthManager.php becomes a critical execution point where modified database values are evaluated and executed, transforming the SQL injection into a remote command execution capability. This represents a sophisticated attack vector that moves beyond simple data exfiltration to full system compromise.
The operational impact of this vulnerability extends far beyond traditional data breach scenarios, as it provides attackers with multiple attack paths to achieve administrative control over the system. The ability to bypass authentication through password hash recovery or modification, combined with the potential for remote command execution, creates a comprehensive attack framework that can lead to complete system compromise. Attackers can manipulate the database to modify user credentials, reset passwords, or elevate privileges without requiring legitimate authentication, effectively rendering the application's access controls useless. The vulnerability's unauthenticated nature means that any external party can exploit it without prior access credentials, making it particularly attractive to threat actors seeking to gain unauthorized access to sensitive help desk systems. This vulnerability directly maps to ATT&CK technique T1078 for valid accounts and T1566 for phishing attacks, as it enables unauthorized access through credential manipulation and system compromise.
Organizations running Re:Desk 2.3 should prioritize immediate remediation through the vendor's security update or patch release that addresses the SQL injection vulnerability in the getBaseCriteria() function. The fix should implement proper input validation and parameterized queries to prevent SQL injection, while also ensuring that database modifications cannot be directly influenced through user-supplied parameters. Additional mitigations should include implementing proper access controls and monitoring for unusual database access patterns, particularly around authentication-related tables. Network segmentation and web application firewalls can provide additional defense-in-depth layers to detect and block exploitation attempts. Regular security assessments should verify that no other similar vulnerabilities exist in the application's codebase, particularly in other database interaction functions. The vulnerability demonstrates the critical importance of secure coding practices and input validation, as it could have been prevented through proper implementation of prepared statements and parameterized queries. Organizations should also consider implementing automated vulnerability scanning tools that can detect similar patterns in other applications and systems to prevent similar exploitation vectors from being overlooked.