CVE-2024-10730 Overview
CVE-2024-10730 is a SQL injection vulnerability affecting Tongda Office Anywhere (Tongda OA) versions up to 11.6. The flaw exists in the /pda/appcenter/web_show.php endpoint, where the ID parameter is passed to a database query without proper sanitization. An authenticated remote attacker can manipulate the ID argument to inject arbitrary SQL statements. The exploit details have been publicly disclosed, increasing the risk of opportunistic attacks against exposed instances. The vulnerability is tracked under CWE-89: Improper Neutralization of Special Elements used in an SQL Command.
Critical Impact
Remote attackers with low-privilege access can extract, modify, or delete database contents in Tongda OA deployments through SQL injection in the web_show.php endpoint.
Affected Products
- Tongda2000 Office Anywhere versions up to 11.6
- Vulnerable endpoint: /pda/appcenter/web_show.php
- Vulnerable parameter: ID
Discovery Timeline
- 2024-11-03 - CVE-2024-10730 published to NVD
- 2024-11-04 - Last updated in NVD database
Technical Details for CVE-2024-10730
Vulnerability Analysis
The vulnerability resides in the /pda/appcenter/web_show.php script within Tongda OA's PDA application center module. The script accepts the ID parameter from HTTP requests and concatenates it into a backend SQL query without parameterized queries or input filtering. This allows an attacker to break out of the intended query context and append arbitrary SQL clauses.
The issue affects confidentiality, integrity, and availability of the underlying database. Successful exploitation enables data exfiltration, record tampering, and potential authentication bypass through credential extraction. Public disclosure of the exploit technique has occurred through GitHub issue discussion and the VulDB CTI Entry #282899.
Root Cause
The root cause is improper neutralization of special characters in user-supplied input passed to a SQL interpreter [CWE-89]. The ID parameter is directly interpolated into the SQL statement rather than being bound through prepared statements. Tongda OA's PHP code path lacks both type casting and escape routines for this parameter, leaving the query syntactically open to manipulation.
Attack Vector
Exploitation is performed remotely over the network against the HTTP interface of Tongda OA. The attacker requires low-privilege authenticated access to the application, after which a crafted HTTP request to /pda/appcenter/web_show.php with a malicious ID value triggers the injection. Attackers typically employ UNION-based or boolean-blind SQL injection payloads to enumerate tables, extract session tokens, and dump user credentials. No user interaction is required to complete the attack chain once a request is issued.
The vulnerability mechanism is documented in the GitHub Issue Discussion and VulDB submission #433530. No verified proof-of-concept code is reproduced here.
Detection Methods for CVE-2024-10730
Indicators of Compromise
- HTTP requests targeting /pda/appcenter/web_show.php containing SQL meta-characters such as ', UNION, SELECT, --, or /* in the ID parameter
- Unusual database query patterns originating from the Tongda OA application service account
- Web server access logs showing repeated requests to the web_show.php endpoint with varying ID values, indicative of automated enumeration
- Outbound data transfers of abnormal volume from the database tier following requests to the vulnerable endpoint
Detection Strategies
- Deploy web application firewall (WAF) rules that inspect the ID parameter of requests to /pda/appcenter/web_show.php for SQL injection payload signatures
- Enable database query logging and alert on parameterized query failures or syntax errors from the Tongda OA application user
- Correlate web server logs with database audit logs to identify request-to-query patterns indicative of injection attempts
Monitoring Recommendations
- Monitor authentication logs for low-privilege accounts performing high-volume requests against /pda/appcenter/ endpoints
- Track database error rates and response time anomalies that may indicate blind SQL injection enumeration
- Alert on access to sensitive tables, particularly user, session, and configuration tables, by the OA application service account
How to Mitigate CVE-2024-10730
Immediate Actions Required
- Restrict network exposure of Tongda OA instances by placing them behind a VPN or trusted network segment until a vendor patch is applied
- Audit all authenticated user accounts and disable any unused or low-trust accounts that could be abused for exploitation
- Deploy WAF signatures to block SQL injection payloads targeting the /pda/appcenter/web_show.php endpoint and the ID parameter
- Review web and database logs retroactively for indicators of prior exploitation attempts
Patch Information
No vendor advisory or patch URL was published by Tongda2000 in the referenced data. Administrators should monitor the Tongda OA vendor channels for an official security update addressing the web_show.php SQL injection. Until a fix is available, compensating controls are required.
Workarounds
- Implement reverse-proxy rules that reject requests where the ID parameter is non-numeric or contains SQL meta-characters
- Apply least-privilege principles to the database account used by Tongda OA, removing unnecessary SELECT, UPDATE, or DROP permissions on sensitive tables
- Disable or restrict access to the /pda/appcenter/web_show.php endpoint at the web server layer if the PDA application center is not in active use
# Example Nginx rule to block non-numeric ID values on the vulnerable endpoint
location /pda/appcenter/web_show.php {
if ($arg_ID !~ "^[0-9]+$") {
return 403;
}
proxy_pass http://tongda_oa_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
