CVE-2017-15373
📋 TL;DR
CVE-2017-15373 is a critical SQL injection vulnerability in E-Sic 1.0 that allows attackers to execute arbitrary SQL commands via the 'q' parameter in the search functionality. This affects all systems running the vulnerable E-Sic software version, potentially exposing sensitive database information.
💻 Affected Systems
- E-Sic
📦 What is this software?
E Sic by Softwarepublico
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data manipulation, authentication bypass, or remote code execution if database permissions allow.
Likely Case
Unauthorized access to sensitive personal data stored in the database, potentially including PII, credentials, or confidential records.
If Mitigated
Limited impact with proper input validation, parameterized queries, and database permission restrictions in place.
🎯 Exploit Status
Multiple public exploit scripts are available, requiring minimal technical skill to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: No official vendor advisory found
Restart Required: No
Instructions:
No official patch available. Apply manual code fixes or upgrade to a newer version if available.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation and parameterized queries for the 'q' parameter in lkpcep.php
Modify PHP code to use prepared statements: $stmt = $pdo->prepare('SELECT * FROM table WHERE column = :q'); $stmt->execute(['q' => $q]);
Web Application Firewall (WAF)
allDeploy WAF rules to block SQL injection patterns in the q parameter
Configure WAF to block requests containing SQL keywords in the q parameter: UNION, SELECT, INSERT, UPDATE, DELETE, DROP, etc.
🧯 If You Can't Patch
- Block external access to the vulnerable endpoint using firewall rules or web server configuration
- Implement network segmentation to isolate the E-Sic system from sensitive databases
🔍 How to Verify
Check if Vulnerable:
Test the endpoint with SQL injection payloads: esiclivre/restrito/inc/lkpcep.php?q=1' OR '1'='1Check Version:
Check E-Sic version in configuration files or admin interfaceVerify Fix Applied:
Attempt SQL injection tests and verify they are blocked or return error messages without executing SQL📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts following SQL injection patterns
- Requests to lkpcep.php with SQL keywords in parameters
Network Indicators:
- HTTP requests containing SQL injection payloads in the q parameter
- Unusual database connections from web server
SIEM Query:
source="web_logs" AND uri="*lkpcep.php*" AND (param="*UNION*" OR param="*SELECT*" OR param="*OR '1'='1*")