SuiteCRM Blind SQL Injection issue

Hello,

I installed SuiteCRM under HTTPS, using Softaculous in my WHM. So far, I am able to access the login page. However, every time I try to login, mod_security will block access. Please see warning message from mod_security below. Any advice to solve this issue is welcome.

211540: COMODO WAF: Blind SQL Injection Attack
Request: POST /index.php
Action Description: Access denied with code 403 (phase 2).
Justification: Pattern match “(?i:\b(?:t(?:able_name\b|extpos[^a-zA-Z0-9_]{1,}\()|(?:a(?:ll_objects|tt(?:rel|typ)id)|column_(?:id|name)|mb_users|object_(?:id|(?:nam|typ)e)|pg_(?:attribute|class)|rownum|s(?:ubstr(?:ing){0,1}|ys(?:c(?:at|o(?:lumn|nstraint)s)|dba|ibm|(?:filegroup|o …” at ARGS_NAMES:user_password.

Hi,

I made a test install through Softaculous without changing user and password (user: admin, password: pass). No special characters in the password. Even so, mod_security blocks my login and warns about a Blind SQL Injection Attack. It seems SuiteCRM passwords are passed and stored into the SQL database in clear, without any sort of hashing to protect them from prying eyes. Please, is there anybody at SuiteCRM that could check this important security issue?

Hi,

please, anybody has an idea about this issue?

many thanks

Since implementing mod_security ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); with rules OWASP_CRS/2.2.9 I have the same problem.

It is a problem with the parameter name user_password

I have implemented a custom rule in modsecurity_crs_60_customrules.conf to ignore that parameter. You can see two attempts both work.

# SuiteCRM login parameter name problem
#SecRuleUpdateTargetById 950007 !ARGS_NAMES:user_password

# SuiteCRM login parameter name problem
SecRule REQUEST_FILENAME "@endsWith index.php" \
"phase:1,t:none,nolog,pass,id:9500071,ctl:ruleRemoveTargetByID=950007;ARGS_NAMES:user_password"

See here: https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--(Updated)-Exception-Handling/ for more details.

Cheers