Frappe Framework and ERPNext SQL Injection Vulnerability in the Client API

A SQL injection vulnerability has been identified in Frappe Framework version 15.72.4 and ERPNext version 15.67.0. The issue arises in the 'frappe.client.get_value' API endpoint, where the 'fieldname' parameter is improperly sanitized, allowing authenticated users to inject SQL payloads. This vulnerability can be exploited by inserting time-delay functions into the 'fieldname' parameter, leading to blind SQL injection attacks that cause response delays, enabling data extraction, manipulation, and potential denial-of-service conditions.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, causing server response delays, blind extraction of data, and potential manipulation of database information. Additionally, if the application user has elevated database privileges, the impact could be more severe.

Reproduction

To reproduce this vulnerability, authenticate to a Frappe or ERPNext instance with a user that has access to the reporting API. Then, send a GET request to the '/api/method/frappe.client.get_value' endpoint, including a crafted 'fieldname' parameter that contains a SQL payload designed to exploit the injection vulnerability, such as a time-delay function. If the response is delayed by the expected amount of time, this indicates successful exploitation of the SQL injection vulnerability.

Remediation

Frappe and ERPNext developers should audit the 'frappe.client.get_value' API method to replace unsafe SQL concatenation with parameterized queries or prepared statements. Once this is done, a security patch should be released. Application operators should apply the update promptly.