CVE-2018-25180

Vulnerability

Maitra 1.7.2 contains a SQL injection vulnerability in the mailid parameter of the outmail and inmail modules. The application fails to sanitize user input, allowing authenticated attackers to inject arbitrary SQL commands [1]. Additionally, the SQLite database file (maitra.sqlite) is stored in a publicly accessible directory (application/db/), enabling direct download without authentication [1].

Exploitation

An attacker with valid credentials can exploit the SQL injection by sending a crafted request to the mailid parameter. For example, a UNION-based injection retrieves database version and user data. The database file can be obtained via a simple GET request to /application/db/maitra.sqlite. The attack requires network access to the application's web interface [1].

Impact

Successful exploitation allows arbitrary SQL execution, leading to extraction of all data from the SQLite database, including mail tracking records and stored credentials. Direct database download provides a complete dump of the application's data. This can result in full compromise of the mail tracking system and exposure of sensitive information [2].

Mitigation

No official patch has been released for this version. Users should restrict network access to the application, ensure strong authentication, and consider moving the database file outside the web root or disabling the vulnerable modules if possible [1][2].