CVE-2022-45030

Vulnerability

A SQL injection vulnerability exists in rConfig version 3.9.7 in the lib/ajaxHandlers/ajaxCompareGetCmdDates.php file. The command parameter is directly incorporated into an SQL query without proper sanitization or parameterization, allowing an attacker to inject arbitrary SQL commands. This issue may be exploitable in conjunction with the MySQL secure-file-priv setting [1].

Exploitation

An attacker can send a crafted HTTP GET request to the vulnerable endpoint with a malicious command parameter. Authentication is not required, as the endpoint is publicly accessible. The attacker does not need any special privileges or network position beyond the ability to send HTTP requests to the rConfig instance [2].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL queries on the database backend. Depending on database permissions and configuration (such as secure-file-priv), this could lead to reading sensitive data, modifying configuration, or potentially writing files to the filesystem [2].

Mitigation

As of the available references, no patched version has been released. Users of rConfig 3.9.7 should apply strict input validation on the command parameter and restrict network access to the management interface. The vendor suggests upgrading to the latest version (rConfig V8) for improved security [1].