Login Sign Up

CVE-2017-17604

9.8 CRITICAL
SQL Injection

📋 TL;DR

This vulnerability allows attackers to execute arbitrary SQL commands through the sourcebus parameter in booker_details.php in Entrepreneur Bus Booking Script. It affects all systems running version 3.0.4 of this software. Successful exploitation could lead to complete database compromise.

💻 Affected Systems

Products:
  • Entrepreneur Bus Booking Script
Versions: 3.0.4
Operating Systems: Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all installations of version 3.0.4 regardless of configuration.

📦 What is this software?

Entrepreneur Bus Booking Script by Entrepreneur Bus Booking Script Project

View all CVEs affecting Entrepreneur Bus Booking Script →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise allowing data theft, modification, or deletion, and potential remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized access to sensitive booking data, customer information, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries in place.

🌐 Internet-Facing: HIGH - The vulnerability is in a web-facing script with public exploit code available.
🏢 Internal Only: MEDIUM - Still significant risk if internal users can access the vulnerable endpoint.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple public exploit scripts are available requiring minimal technical skill to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No known vendor advisory

Restart Required: No

Instructions:

1. Check if newer versions exist from the vendor. 2. If no patch, implement workarounds immediately. 3. Consider migrating to alternative software.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add input validation and parameterized queries to booker_details.php

Edit booker_details.php to replace raw SQL with prepared statements using PDO or mysqli

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns

Configure WAF to block requests containing SQL keywords in sourcebus parameter

🧯 If You Can't Patch

  • Block external access to booker_details.php via firewall rules
  • Implement network segmentation to isolate the vulnerable system

🔍 How to Verify

Check if Vulnerable:

Test the sourcebus parameter with SQL injection payloads like ' OR '1'='1

Check Version:

Check script version in admin panel or readme files

Verify Fix Applied:

Test with SQL injection payloads after implementing fixes to ensure they're blocked

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in web server logs
  • Multiple requests to booker_details.php with SQL keywords

Network Indicators:

  • SQL keywords in HTTP GET parameters
  • Unusual database connection patterns

SIEM Query:

source="web_logs" AND (url="*booker_details.php*" AND (param="*sourcebus*" AND value="*OR*" OR value="*UNION*" OR value="*SELECT*"))

📊 Metadata

CVE ID: CVE-2017-17604
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: December 13, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-17604, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)