CVE-2017-15987
📋 TL;DR
CVE-2017-15987 is a critical SQL injection vulnerability in Fake Magazine Cover Script that allows attackers to execute arbitrary SQL commands through the rate.php value parameter or content.php id parameter. This affects all websites running vulnerable versions of this script, potentially exposing database contents and system access.
💻 Affected Systems
- Fake Magazine Cover Script
📦 What is this software?
Fake Magazine Cover Script by Fake Magazine Cover Script Project
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, privilege escalation, and potential remote code execution on the underlying server.
Likely Case
Database content extraction including user credentials, sensitive information, and potential website defacement.
If Mitigated
Limited impact with proper input validation and parameterized queries preventing SQL injection.
🎯 Exploit Status
Exploit code is publicly available and requires minimal technical skill to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified
Vendor Advisory: Not available
Restart Required: No
Instructions:
1. Replace vulnerable scripts with secure versions using parameterized queries. 2. Implement input validation and sanitization. 3. Consider replacing with maintained software.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to rate.php and content.php parameters
// In PHP, add: if(!is_numeric($_GET['id'])) { die('Invalid input'); }
// For value parameter: if(!is_numeric($_GET['value'])) { die('Invalid input'); }
Web Application Firewall Rules
linuxBlock SQL injection patterns in rate.php and content.php
# ModSecurity rule: SecRule ARGS "(?i:(union|select|insert|update|delete|drop|alter).*)" "id:1001,phase:2,deny,msg:'SQL Injection Attempt'"
# For Apache: RewriteCond %{QUERY_STRING} (union|select|insert|update|delete|drop|alter) [NC]
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with SQL injection rules
- Restrict access to vulnerable scripts using IP whitelisting or authentication
🔍 How to Verify
Check if Vulnerable:
Test rate.php?value=1' OR '1'='1 and content.php?id=1' OR '1'='1 for SQL error responsesCheck Version:
Check script files for modification dates and compare with known vulnerable versionsVerify Fix Applied:
Test with same payloads and verify no SQL errors or unexpected behavior occurs📡 Detection & Monitoring
Log Indicators:
- SQL syntax errors in web server logs
- Unusual parameter values in rate.php or content.php requests
- Multiple failed SQL query attempts
Network Indicators:
- HTTP requests containing SQL keywords to vulnerable endpoints
- Unusual database query patterns from web server
SIEM Query:
source="web.log" AND (uri_path="/rate.php" OR uri_path="/content.php") AND (query_string="*union*" OR query_string="*select*" OR query_string="*insert*")