CVE-2020-26944

Vulnerability

A time-based SQL injection vulnerability exists in the nameTxt parameter of the main login page in Aptean Product Configurator versions 4.0 SP6 through 4.61.0000. The affected endpoint is /pc40/cse?cmd=LOGIN, which processes user-supplied input without proper sanitization. The vulnerability is triggered via a GET request to that URL with the nameTxt parameter, allowing an attacker to inject malicious SQL statements [1].

Exploitation

An attacker can exploit this vulnerability remotely without any authentication or prior knowledge of the system. By manipulating the nameTxt parameter with time-based SQL injection payloads, the attacker can infer database structure and extract data. The attacker merely needs network access to the login page, which the vendor may have exposed to the internet. No special privileges or user interaction is required [1].

Impact

Successful exploitation allows the attacker to extract all data stored in the application database, including potentially sensitive information. The attack can also be used for further system enumeration beyond the database, compromising confidentiality and integrity. The time-based technique reveals data without directly outputting it, but the attacker can systematically retrieve any database content [1].

Mitigation

The vendor should apply input validation and parameterized queries to fix the SQL injection. As of the reference publication date (October 2020), no official patch information is provided. Users should restrict network access to the login page to trusted hosts only, ideally not exposing it to the internet, as a temporary workaround [1].