जमा करें #807743: CodeCanyon Perfex CRM 3.4.1 SQL Injectionजानकारी

शीर्षक	CodeCanyon Perfex CRM 3.4.1 SQL Injection
विवरण	Perfex CRM 3.4.1 (and likely every earlier 3.x build that ships application/services/AbstractKanban.php) contains an authenticated blind time-based SQL injection in four admin kanban "load more" endpoints. The helper AbstractKanban::applySortQuery() concatenates the attacker-controlled sort_by and sort request parameters into an ORDER BY clause and calls $this->ci->db->order_by($expr, '', false) with the third argument set to false, which disables CodeIgniter's identifier escaping. qualifyColumn() only prepends the table name; there is no whitelist of allowed columns. Four controllers feed user input straight into this sink: - application/controllers/admin/Leads.php::leads_kanban_load_more - application/controllers/admin/Proposals.php::proposals_pipeline_load_more - application/controllers/admin/Estimates.php::estimates_pipeline_load_more - application/controllers/admin/Tasks.php::tasks_kanban_load_more Each endpoint is gated only by is_staff_member(). There is no role / capability check, so any staff account — including a newly-created non-admin staff with zero role permissions — can exploit the bug. The primitive is a full read of the application database. The most impactful target is tblstaff.password (phpass/bcrypt hashes), which enables offline cracking and escalation to the admin account. CWE-89 (SQL Injection), CWE-20 (Improper Input Validation). CVSS 3.1: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N = 7.1 High. Minimum reproducer (assumes one non-admin staff account, Eve, with the default "Customer" leads_status row present — the stock onboarding state): BASE=http://target.example JAR=$(mktemp) TOK=$(curl -s -c "$JAR" "$BASE/admin/authentication/admin" \| grep -oE 'csrf_token_name" value="[^"]"' \| sed 's/.value="//;s/"//') curl -s -c "$JAR" -b "$JAR" -o /dev/null -X POST "$BASE/admin/authentication/admin" --data-urlencode "csrf_token_name=$TOK" --data-urlencode "[email protected]" --data-urlencode "password=StaffPass1!" time curl -s -b "$JAR" -o /dev/null "$BASE/admin/leads/leads_kanban_load_more?status=1&page=1&sort=asc&sort_by=id%2C(SELECT%20SLEEP(3))" With a small number of leads visible to the staff session, the request sleeps ~9 seconds versus ~30 ms for the harmless baseline (sort_by=id). The same pattern works on proposals_pipeline_load_more, estimates_pipeline_load_more, and tasks_kanban_load_more. Full hash-extraction PoC (Python, binary-search oracle on tblstaff.password): see the Bytium advisory. Fix: in AbstractKanban::applySortQuery(), validate sort_by against a per-pipeline whitelist of allowed columns and validate sort against {'asc','desc'} before concatenating into the ORDER BY expression. Do not disable CodeIgniter's identifier escaping on attacker-influenced input.
स्रोत	⚠️ https://bytium.com/insights/blind-sql-injection-in-perfex-crm-3-4-1
उपयोगकर्ता	suffer (UID 74855)
सबमिशन	18/04/2026 08:10 PM (2 महीनों पहले)
संयम	04/05/2026 05:58 PM (16 days later)
स्थिति	स्वीकृत
VulDB प्रविष्टि	360980 [CodeCanyon Perfex CRM तक 3.4.1 Admin Kanban Endpoint AbstractKanban.php applySortQuery this SQL इंजेक्शन]
अंक	20

◂ पिछला सिंहावलोकन अगला ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!