CVE-2019-25707

Vulnerability

Overview

CVE-2019-25707 is an SQL injection vulnerability in eBrigade ERP version 4.5. The flaw resides in the pdf.php script, where the id parameter is not properly sanitized before being used in SQL queries. The code retrieves the id value from GET or POST requests and passes it through a secure_input() function, but the subsequent explode() call splits the value on commas, and the resulting array elements are used directly in SQL statements without parameterization. This allows an authenticated attacker to inject arbitrary SQL commands [1][2].

Exploitation

An attacker must be authenticated to the eBrigade ERP application. The attack is performed by sending a crafted GET request to pdf.php with a malicious payload in the id parameter. The proof-of-concept demonstrates that the id parameter can contain URL-encoded SQL injection strings that extract database metadata, such as table names and schema information. The attack does not require any special privileges beyond a valid session [1].

Impact

Successful exploitation enables an attacker to execute arbitrary SQL queries against the underlying database. This can lead to the extraction of sensitive information, including database schema details, table names, and potentially user credentials or other confidential data stored in the application's database. The CVSS v3 score of 7.1 (High) reflects the significant confidentiality impact, though integrity and availability impacts are limited [2].

Mitigation

As of the publication date, eBrigade ERP 4.5 is the affected version. Users should upgrade to a patched version if available, or apply input validation and parameterized queries to the id parameter in pdf.php. No official patch has been confirmed, and the vendor may need to address this issue. The vulnerability is publicly documented with a working exploit [1][2].