"CVE-2022-42744: Unrestricted CRUD Operations in CandidATS 3.. Leads to Database Compromise"

Overview: CandidATS version 3.. has a security vulnerability that allows external attackers to perform Create, Read, Update, and Delete (CRUD) operations on application databases. The software does not appropriately validate the "entriesPerPage" parameter against SQL Injection (SQLi) attacks.

Vulnerability Details

CandidATS version 3.., an open-source Applicant Tracking System (ATS), has a security flaw that makes it possible for an attacker to manipulate the database through CRUD operations. The vulnerability arises from insufficient input validation of the "entriesPerPage" parameter when communicating with the application's databases.

An attacker can exploit this vulnerability using an SQL injection attack. SQLi attacks occur when an attacker inserts malicious SQL code into an application's entry point, typically through input fields where users submit data. The attacker's code is then executed along with the application's intended SQL queries, allowing the attacker unauthorized access to the database.

Proof of Concept

The following code snippet demonstrates how the malicious SQLi code could be inserted into the "entriesPerPage" parameter:

entriesPerPage=10; SELECT * FROM users WHERE username='CANDIDATE' UNION ALL SELECT NULL,@@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL; --&sort=%27modifiedTime%27

As seen in the provided code snippet, the attacker uses the UNION ALL statement to merge different SELECT statements results with the original query, retrieving additional information from the application database. The @@version command will return the database server version, indicating that the SQLi attack was successful.

The attacker inserts the malicious SQLi exploit into the "entriesPerPage" parameter.

3. The application executes the attacker's SQL query, revealing sensitive information about the database or allowing CRUD operations.

The CandidATS project's GitHub repository lists the vulnerability, which you can find at this link: CandidATS GitHub Issue

Moreover, you can find more information about CandidATS on their official website: CandidATS Official Website

To secure your CandidATS instance against this vulnerability, follow these steps

1. Update CandidATS to the latest version, which includes fixes for this vulnerability. The updates can be found on their official website or GitHub repository.
2. Improve input validation. Always check and properly sanitize user input, especially if they interact with databases.
3. Limit the permissions of database users. Avoid using privileged database accounts for normal application operations.
4. Implement a Web Application Firewall (WAF) to identify and block malicious traffic. WAFs can detect SQLi attacks by monitoring query strings and input data for unusual patterns.

In conclusion, it is essential to always keep your software up-to-date to minimize security risks. Moreover, improving input validation, limiting database user permissions, and implementing a Web Application Firewall can significantly enhance the security of web applications against various attack vectors, including SQLi attacks.

Timeline

Published on: 11/03/2022 20:15:00 UTC
Last modified on: 11/05/2022 00:32:00 UTC