Login Sign Up

CVE-2017-17103

8.8 HIGH
SQL Injection Authentication Bypass

📋 TL;DR

CVE-2017-17103 is a SQL injection vulnerability in Fiyo CMS 2.0.7 that allows attackers to manipulate database queries through user input fields. This enables privilege escalation from normal user to administrator, potentially granting full system control. Anyone running Fiyo CMS 2.0.7 with the vulnerable component enabled is affected.

💻 Affected Systems

Products:
  • Fiyo CMS
Versions: 2.0.7
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the user management component (/apps/app_user/sys_user.php) to be accessible

📦 What is this software?

Fiyo Cms by Fiyo

View all CVEs affecting Fiyo Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with administrative access, data theft, and potential ransomware deployment

🟠

Likely Case

Unauthorized administrative access leading to website defacement, data manipulation, and backdoor installation

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting query execution

🌐 Internet-Facing: HIGH - Web applications are directly accessible and vulnerable to automated scanning
🏢 Internal Only: MEDIUM - Requires authenticated access but internal users could exploit for privilege escalation

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated user access but SQL injection payloads are well-documented

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.8 or later

Vendor Advisory: https://github.com/FiyoCMS/FiyoCMS/issues/10

Restart Required: No

Instructions:

1. Backup current installation. 2. Download Fiyo CMS 2.0.8 or later. 3. Replace vulnerable files. 4. Verify functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Add parameterized queries and input validation to sys_user.php

Modify /apps/app_user/sys_user.php to use prepared statements for $_POST[name] and $_POST[email]

Access Restriction

linux

Temporarily disable or restrict access to vulnerable component

chmod 000 /apps/app_user/sys_user.php
Add authentication middleware to restrict access

🧯 If You Can't Patch

  • Implement web application firewall (WAF) with SQL injection rules
  • Restrict database user permissions to minimum required

🔍 How to Verify

Check if Vulnerable:

Check if running Fiyo CMS 2.0.7 and if /apps/app_user/sys_user.php exists and processes $_POST parameters without validation

Check Version:

Check CMS configuration files or admin panel for version information

Verify Fix Applied:

Verify version is 2.0.8+ and test SQL injection payloads against name/email fields return errors instead of executing

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts followed by successful admin access
  • POST requests to sys_user.php with SQL keywords

Network Indicators:

  • HTTP POST requests containing SQL injection patterns to vulnerable endpoint

SIEM Query:

source="web_logs" AND uri="/apps/app_user/sys_user.php" AND (request_body CONTAINS "UNION" OR request_body CONTAINS "SELECT" OR request_body CONTAINS "OR 1=1")

📊 Metadata

CVE ID: CVE-2017-17103
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: December 4, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-17103, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)