📄 Description (English)
MyT-PM 1.5.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the Charge[group_total] parameter. Attackers can submit crafted POST requests to the /charge/admin endpoint with error-based, time-based blind, or stacked query payloads to extract sensitive database information or manipulate data.
🤖 AI Executive Summary
MyT-PM 1.5.1 contains a critical SQL injection vulnerability in the Charge[group_total] parameter affecting authenticated users. Attackers can execute arbitrary SQL queries through the /charge/admin endpoint using error-based, time-based blind, or stacked query techniques to extract sensitive data or manipulate databases. No patch is currently available, making immediate compensating controls essential for affected Saudi organizations.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 9, 2026 23:37
🇸🇦 Saudi Arabia Impact Assessment
High impact for Saudi financial services, government agencies, and healthcare organizations using MyT-PM for billing/charging systems. Banking sector (SAMA-regulated institutions) faces critical risk if MyT-PM manages payment processing or customer financial data. Government entities using this system for administrative billing are vulnerable to data exfiltration and unauthorized modifications. Healthcare providers managing patient billing systems could face HIPAA-equivalent compliance violations. Telecom operators (STC, Mobily) using MyT-PM for charge management face revenue assurance and customer data protection risks. Energy sector billing systems could be compromised.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare
Energy and Utilities
Telecommunications
E-commerce and Retail
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all instances of MyT-PM 1.5.1 in your environment and document their criticality
2. Restrict network access to /charge/admin endpoint using WAF rules or network segmentation
3. Implement strict input validation and parameterized queries at application layer
4. Enable comprehensive SQL query logging and monitoring for suspicious patterns
5. Review database user permissions and apply principle of least privilege
COMPENSATING CONTROLS:
1. Deploy Web Application Firewall (WAF) rules to block SQL injection patterns in Charge[group_total] parameter
2. Implement database activity monitoring (DAM) to detect and alert on unauthorized queries
3. Apply database encryption for sensitive data at rest
4. Enforce multi-factor authentication for /charge/admin access
5. Implement rate limiting on /charge/admin endpoint
DETECTION RULES:
1. Monitor POST requests to /charge/admin containing SQL keywords (UNION, SELECT, DROP, INSERT, UPDATE, DELETE, EXEC, SCRIPT)
2. Alert on time-based delays in database responses (WAITFOR, SLEEP functions)
3. Track database error messages in application logs indicating SQL syntax errors
4. Monitor for unusual database connection patterns or privilege escalation attempts
5. Implement SIEM rules for Charge[group_total] parameter containing special characters: ', ", --, /*, ;, (, )
PATCHING STRATEGY:
1. Contact MyT-PM vendor for security updates or migration path
2. If no patch available, plan immediate upgrade to newer version or alternative solution
3. Implement temporary decommissioning of non-critical MyT-PM instances
4. For critical systems, implement application-level query parameterization as interim measure
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع حالات MyT-PM 1.5.1 في بيئتك وتوثيق أهميتها
2. تقييد الوصول إلى نقطة نهاية /charge/admin باستخدام قواعد WAF أو تقسيم الشبكة
3. تنفيذ التحقق الصارم من المدخلات والاستعلامات المعاملة على مستوى التطبيق
4. تفعيل تسجيل المراقبة الشاملة لاستعلامات SQL والكشف عن الأنماط المريبة
5. مراجعة أذونات مستخدم قاعدة البيانات وتطبيق مبدأ أقل امتياز
الضوابط التعويضية:
1. نشر قواعد جدار الحماية (WAF) لحجب أنماط حقن SQL في معامل Charge[group_total]
2. تنفيذ مراقبة نشاط قاعدة البيانات (DAM) للكشف والتنبيه عن الاستعلامات غير المصرح بها
3. تطبيق تشفير قاعدة البيانات للبيانات الحساسة في حالة السكون
4. فرض المصادقة متعددة العوامل لوصول /charge/admin
5. تنفيذ تحديد معدل على نقطة نهاية /charge/admin
قواعد الكشف:
1. مراقبة طلبات POST إلى /charge/admin تحتوي على كلمات SQL (UNION, SELECT, DROP, INSERT, UPDATE, DELETE, EXEC, SCRIPT)
2. التنبيه على التأخيرات المستندة إلى الوقت في استجابات قاعدة البيانات (وظائف WAITFOR, SLEEP)
3. تتبع رسائل خطأ قاعدة البيانات في سجلات التطبيق التي تشير إلى أخطاء بناء جملة SQL
4. مراقبة أنماط اتصال قاعدة البيانات غير العادية أو محاولات تصعيد الامتيازات
5. تنفيذ قواعد SIEM لمعامل Charge[group_total] يحتوي على أحرف خاصة: ', ", --, /*, ;, (, )
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
5.1.1 - Access Control and Authentication
5.2.1 - Data Protection and Encryption
5.3.1 - Application Security and Secure Development
5.4.1 - Vulnerability Management
5.5.1 - Incident Detection and Response
🔵 SAMA CSF
ID.GV-1 - Organizational cybersecurity policy
PR.AC-1 - Access control policy
PR.DS-1 - Data security policy
DE.CM-1 - Detection and monitoring
RS.RP-1 - Response planning
🟡 ISO 27001:2022
A.5.1.1 - Policies for information security
A.6.1.1 - Information security roles and responsibilities
A.8.1.1 - User endpoint devices
A.9.2.1 - User registration and de-registration
A.9.4.3 - Password management
A.14.2.1 - Secure development policy
A.14.2.5 - Secure development environment
🟣 PCI DSS v4.0.1
Requirement 1 - Firewall configuration
Requirement 2 - Default passwords
Requirement 6 - Secure development and vulnerability management
Requirement 6.5.1 - Injection flaws prevention
Requirement 10 - Logging and monitoring
🔗 References & Sources 4
🔗
https://manageyourteam.net/
disclosure@vulncheck.com
Broken Link
🔗
https://sourceforge.net/projects/myt/
disclosure@vulncheck.com
Product
🔗
https://www.exploit-db.com/exploits/46084
disclosure@vulncheck.com
Exploit
VDB Entry
🔗
https://www.vulncheck.com/advisories/myt-pm-sql-injection-via-charge-group-total-parameter
disclosure@vulncheck.com
Third Party Advisory
📦 Affected Products / CPE 1 entries
myt_project:myt:1.5.1