📄 Description (English)
QloApps through 1.7.0, fixed in commit 64e9722, contains a weak cryptographic algorithm vulnerability that allows attackers to compromise user credentials by exploiting the use of MD5 for password hashing in the Tools::encrypt() function within classes/Tools.php, which concatenates a static cookie key with the supplied password. Attackers can perform offline brute-force attacks against the MD5 hashes, with the risk compounded by auto-generated 8-character passwords assigned during guest-to-customer account conversion in classes/Customer.php, making credential recovery trivial.
🤖 AI Executive Summary
QloApps versions through 1.7.0 use weak MD5 hashing for password storage, allowing attackers to perform offline brute-force attacks against user credentials. The vulnerability is particularly severe for auto-generated 8-character passwords used during guest-to-customer conversions, making credential compromise trivial. While no public exploit exists, the weakness is fundamental and affects all installations using vulnerable versions.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Jun 4, 2026 08:48
🇸🇦 Saudi Arabia Impact Assessment
Saudi e-commerce and hospitality sectors using QloApps are at significant risk, particularly those managing guest-to-customer conversions in hotel booking systems and online retail platforms. Banking and financial services integrations with QloApps payment modules face credential compromise risks. Government digital services and healthcare appointment systems using QloApps could expose citizen/patient data. Telecom providers offering QloApps-based services (STC, Mobily) and ARAMCO supply chain portals are vulnerable. The weak hashing directly violates SAMA CSF and NCA ECC requirements for cryptographic controls.
🏢 Affected Saudi Sectors
E-commerce and Retail
Hospitality and Tourism
Banking and Financial Services
Government Digital Services
Healthcare and Medical Services
Telecommunications
Energy and Utilities
Supply Chain and Logistics
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all QloApps installations to identify version 1.7.0 and earlier
2. Force password reset for all users, especially those with auto-generated credentials
3. Implement rate limiting on login endpoints to mitigate brute-force attempts
4. Monitor for suspicious authentication patterns and credential stuffing attacks
PATCHING:
1. Upgrade to QloApps version after commit 64e9722 when released
2. If upgrade unavailable, apply custom patch to replace MD5 with bcrypt or Argon2 in classes/Tools.php
3. Implement proper password hashing: use password_hash() with PASSWORD_BCRYPT or PASSWORD_ARGON2ID
4. Remove static cookie key concatenation; use unique salts per password
COMPENSATING CONTROLS:
1. Implement Web Application Firewall (WAF) rules to detect offline hash cracking attempts
2. Deploy multi-factor authentication (MFA) for all user accounts
3. Enable account lockout after 5 failed login attempts
4. Implement SIEM rules to detect bulk password reset activities
5. Conduct offline hash analysis: if MD5 hashes are accessible, assume compromise
DETECTION:
1. Search application logs for password reset events in bulk
2. Monitor for authentication failures followed by successful logins from new IPs
3. Alert on any access to classes/Tools.php or classes/Customer.php
4. Implement file integrity monitoring on password storage mechanisms
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع تثبيتات QloApps لتحديد الإصدار 1.7.0 والإصدارات الأقدم
2. فرض إعادة تعيين كلمة المرور لجميع المستخدمين، خاصة أولئك الذين لديهم بيانات اعتماد مولدة تلقائياً
3. تطبيق تحديد معدل على نقاط نهاية تسجيل الدخول للتخفيف من هجمات القوة الغاشمة
4. مراقبة الأنماط المريبة للمصادقة وهجمات حشو بيانات الاعتماد
التصحيح:
1. الترقية إلى إصدار QloApps بعد التزام 64e9722 عند إصداره
2. إذا كانت الترقية غير متاحة، طبق تصحيح مخصص لاستبدال MD5 بـ bcrypt أو Argon2
3. تطبيق تجزئة كلمة المرور الصحيحة: استخدم password_hash() مع PASSWORD_BCRYPT أو PASSWORD_ARGON2ID
4. إزالة سلسلة مفتاح ملف تعريف الارتباط الثابتة؛ استخدم أملاح فريدة لكل كلمة مرور
الضوابط التعويضية:
1. تطبيق قواعد جدار حماية تطبيقات الويب (WAF) للكشف عن محاولات كسر التجزئة دون الاتصال
2. نشر المصادقة متعددة العوامل (MFA) لجميع حسابات المستخدمين
3. تفعيل قفل الحساب بعد 5 محاولات تسجيل دخول فاشلة
4. تطبيق قواعد SIEM للكشف عن أنشطة إعادة تعيين كلمة المرور الجماعية
5. إجراء تحليل التجزئة دون الاتصال: إذا كانت تجزئات MD5 متاحة، افترض الاختراق
الكشف:
1. البحث في سجلات التطبيق عن أحداث إعادة تعيين كلمة المرور بكميات كبيرة
2. مراقبة فشل المصادقة متبوعة بعمليات تسجيل دخول ناجحة من عناوين IP جديدة
3. تنبيه على أي وصول إلى classes/Tools.php أو classes/Customer.php
4. تطبيق مراقبة سلامة الملفات على آليات تخزين كلمات المرور
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.10.1.1 - Cryptographic controls for password protection
ECC 2024 A.10.2.1 - User authentication mechanisms
ECC 2024 A.10.2.3 - Password management systems
ECC 2024 A.14.2.1 - Secure development practices
🔵 SAMA CSF
SAMA CSF ID.BE-1 - Asset management and cryptographic controls
SAMA CSF PR.AC-1 - Access control and authentication
SAMA CSF PR.DS-2 - Data security and encryption standards
SAMA CSF DE.CM-1 - Detection and monitoring of security events
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Cryptography
ISO 27001:2022 A.8.3 - Authentication
ISO 27001:2022 A.8.2.3 - Password management
ISO 27001:2022 A.14.2.1 - Secure development policy
🟣 PCI DSS v4.0.1
PCI DSS 3.2.1 - Strong cryptography for stored cardholder data
PCI DSS 8.2.3 - Password strength requirements
PCI DSS 8.2.4 - Password encryption and hashing
🔗 References & Sources 3