CVE-2017-14703 – CVE-2017-14703 is a critical SQL injection vuln... (How to Fix)

Q: What is the severity of CVE-2017-14703?

CVE-2017-14703 has a CVSS score of 9.8 (CRITICAL). CVE-2017-14703 is a critical SQL injection vulnerability in Cash Back Comparison Script 1.0 that allows remote attackers to execute arbitrary SQL commands via the PATH_INFO parameter in the search functionality. This affects all users running version 1.0 of the software, potentially compromising the entire database and web application.

📋 TL;DR

CVE-2017-14703 is a critical SQL injection vulnerability in Cash Back Comparison Script 1.0 that allows remote attackers to execute arbitrary SQL commands via the PATH_INFO parameter in the search functionality. This affects all users running version 1.0 of the software, potentially compromising the entire database and web application.

💻 Affected Systems

Products:

Cash Back Comparison Script

Versions: 1.0

Operating Systems: All platforms running PHP with database backend

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations of version 1.0 regardless of configuration. Requires PHP and a database (typically MySQL).

📦 What is this software?

Cash Back Comparison by Cashbackcomparisonscript

View all CVEs affecting Cash Back Comparison →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, authentication bypass, and potential remote code execution through database functions.

🟠

Likely Case

Attackers extract sensitive user data (passwords, personal information), modify database content, or gain administrative access to the application.

🟢

If Mitigated

With proper input validation and parameterized queries, SQL injection attempts are blocked and logged without affecting system functionality.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable via web requests and the software is typically deployed as a public-facing web application.

🏢 Internal Only: MEDIUM - If deployed internally only, risk is reduced but still significant if internal users can be compromised.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available and demonstrates simple exploitation via crafted URLs. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: N/A

Restart Required: No

Instructions:

No official patch exists. Recommended action is to upgrade to a secure alternative or implement workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize PATH_INFO parameter before processing SQL queries

Modify search.php to validate and sanitize $_SERVER['PATH_INFO'] using preg_replace('/[^a-zA-Z0-9\-_\/]/', '', $path_info)

Web Application Firewall Rule

all

Block SQL injection patterns in PATH_INFO parameter

Add WAF rule: SecRule REQUEST_URI "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQLi attempt in PATH_INFO'"

🧯 If You Can't Patch

Implement a web application firewall (WAF) with SQL injection detection rules
Restrict network access to only trusted IP addresses using firewall rules

🔍 How to Verify

Check if Vulnerable:

Test by accessing /search/ followed by SQL injection payload like /search/' OR '1'='1 and checking for database errors or unexpected results

Check Version:

Check script version in admin panel or review source code for version markers

Verify Fix Applied:

Attempt SQL injection payloads and verify they are blocked or sanitized without affecting legitimate search functionality

📡 Detection & Monitoring

Log Indicators:

Unusual SQL syntax in access logs
Database error messages in application logs
Multiple failed search attempts with special characters

Network Indicators:

HTTP requests with SQL keywords in PATH_INFO parameter
Unusual database connection patterns from web server

SIEM Query:

source="web_access.log" AND (uri="*search/*" AND (uri="*UNION*" OR uri="*SELECT*" OR uri="*OR '1'='1*" OR uri="*--*"))

📊 Metadata

CVE ID: CVE-2017-14703

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: September 26, 2017

Last Updated: April 20, 2025

🔗 References

https://www.exploit-db.com/exploits/42772/ Exploit,Third Party Advisory,VDB Entry
https://www.exploit-db.com/exploits/42772/ Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-14703, you might also want to check these: