CVE-2024-10601 Overview
CVE-2024-10601 is a SQL injection vulnerability in Tongda2000 Office Anywhere (Tongda OA) versions 2017 through 11.10. The flaw exists in the /general/address/private/address/query/delete.php script, where the where_repeat parameter is passed to a backend SQL query without proper sanitization. Remote attackers with low-level privileges can manipulate the parameter to inject arbitrary SQL statements. The exploit details have been publicly disclosed, increasing the likelihood of opportunistic abuse against unpatched deployments. The weakness is tracked under CWE-89: Improper Neutralization of Special Elements used in an SQL Command.
Critical Impact
Authenticated remote attackers can inject SQL into the where_repeat parameter to read, modify, or delete records in the Tongda OA database.
Affected Products
- Tongda2000 Office Anywhere 2017
- Tongda2000 Office Anywhere through version 11.10
- Component: /general/address/private/address/query/delete.php
Discovery Timeline
- 2024-10-31 - CVE-2024-10601 published to the National Vulnerability Database
- 2024-11-04 - Last updated in NVD database
Technical Details for CVE-2024-10601
Vulnerability Analysis
The vulnerability resides in the address book deletion handler at /general/address/private/address/query/delete.php. The script accepts a where_repeat HTTP parameter and concatenates the value into a SQL statement executed against the Tongda OA database. Because the application performs no sanitization or parameterization on this input, attackers can break out of the intended SQL context and append arbitrary clauses.
Successful exploitation allows reading sensitive office automation data, modifying address book records, or deleting database content. The attack requires network access to the OA web interface and a low-privileged session, but no user interaction. Tongda OA is widely deployed for enterprise collaboration in Chinese-speaking markets, expanding the population of exposed instances.
Root Cause
The root cause is improper neutralization of special elements used in a SQL command [CWE-89]. The delete.php endpoint trusts the where_repeat request parameter and interpolates it directly into a dynamically constructed query rather than binding it as a parameter. No allowlist, type check, or escaping routine constrains the value before it reaches the database driver.
Attack Vector
An authenticated remote attacker sends a crafted HTTP request to /general/address/private/address/query/delete.php with a malicious where_repeat value. The payload terminates the legitimate SQL fragment and appends attacker-controlled clauses such as UNION SELECT, time-based blind probes, or stacked statements where the database driver permits them. Because the exploit has been disclosed publicly through the GitHub issue tracker and VulDB submission #433498, defenders should assume automated scanning is feasible. Refer to the VulDB advisory for additional technical context.
Detection Methods for CVE-2024-10601
Indicators of Compromise
- HTTP requests to /general/address/private/address/query/delete.php containing SQL metacharacters such as ', --, UNION, SLEEP(, or BENCHMARK( in the where_repeat parameter.
- Unusual outbound database error responses or HTTP 500 entries originating from the address book delete endpoint.
- Spikes in request volume targeting delete.php from a single source IP, indicating automated exploitation attempts.
Detection Strategies
- Inspect web server access logs and WAF telemetry for anomalous query strings or POST bodies referencing where_repeat.
- Deploy SQL injection signatures on the perimeter that flag tautologies, comment sequences, and time-delay functions against Tongda OA URIs.
- Correlate web request anomalies with database audit logs to identify queries that deviate from the application's expected SQL templates.
Monitoring Recommendations
- Enable verbose logging on the Tongda OA application server and forward logs to a centralized analytics platform for retention and correlation.
- Alert on authenticated sessions issuing high volumes of address book requests, especially outside business hours.
- Track database account activity for unexpected SELECT against system tables or schema enumeration patterns following access to delete.php.
How to Mitigate CVE-2024-10601
Immediate Actions Required
- Restrict network exposure of the Tongda OA interface to trusted networks or VPN users until a vendor patch is applied.
- Deploy a web application firewall rule that blocks SQL metacharacters and known injection patterns in the where_repeat parameter.
- Audit existing address book records and database logs for evidence of tampering or unauthorized data access.
Patch Information
At the time of publication, no vendor advisory or fixed version has been linked in the NVD entry for CVE-2024-10601. Administrators should monitor the Tongda OA vendor channels and the VulDB tracking entry for an official update and apply it as soon as it becomes available.
Workarounds
- Block access to /general/address/private/address/query/delete.php at the reverse proxy or WAF when the address book delete functionality is not required.
- Enforce least-privilege database accounts for the OA service so injected statements cannot reach sensitive schemas.
- Revoke unused application accounts and rotate credentials to reduce the pool of low-privileged sessions available to attackers.
# Example NGINX snippet to block requests carrying SQL metacharacters
# in the where_repeat parameter of the affected endpoint
location /general/address/private/address/query/delete.php {
if ($arg_where_repeat ~* "('|--|union|select|sleep|benchmark)") {
return 403;
}
proxy_pass http://tongda_oa_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
