CVE-2018-20508

Vulnerability

CrashFix version 1.0.4 contains a SQL injection vulnerability in the UserController.php actionIndex function, which processes the $_POST['User'] parameter. The User model's search() method in protected\models\User.php directly concatenates the User[status] value into a SQL query without sanitization or parameterization, as shown in the source code: $criteria->addCondition('t.status='.$status, 'AND'). This allows an attacker to inject arbitrary SQL commands via the status field. The vulnerability is present in version 1.0.4 only, as reported in the project's ticket system [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP POST request to the vulnerable endpoint with a malicious User[status] parameter. No authentication is required if the endpoint is publicly accessible. The attacker simply includes SQL injection payloads (e.g., 1 OR 1=1) in the status value, which are then executed by the database. The exact sequence involves submitting a POST request to the actionIndex route with User[status] set to a malicious string.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL queries against the underlying database. This can lead to unauthorized disclosure of sensitive data (e.g., user credentials, crash reports), modification or deletion of database records, and potentially full compromise of the application's data integrity. The attacker gains the ability to read, write, or delete any data accessible to the database user, which may include administrative information.

Mitigation

As of the publication date (2018-12-27), no official patch or fixed version has been released for CrashFix 1.0.4. The ticket [1] remains open with no resolution. Users are advised to apply input validation and use parameterized queries (prepared statements) to mitigate the risk. If an update becomes available, upgrading to the latest version is recommended. No workaround is provided in the available references.