CVE-2017-17618 – CVE-2017-17618 is a critical SQL injection vuln... (How to Fix)

📋 TL;DR

CVE-2017-17618 is a critical SQL injection vulnerability in Kickstarter Clone Script 2.0 that allows attackers to execute arbitrary SQL commands via the investcalc.php projid parameter. This affects all deployments of this specific crowdfunding script, potentially compromising the entire database. Attackers can steal sensitive data, modify database contents, or gain administrative access.

💻 Affected Systems

Products:

Kickstarter Clone Script

Versions: 2.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any installation using the vulnerable investcalc.php file is affected regardless of configuration.

📦 What is this software?

Kickstarter Clone Script by Kickstarter Clone Script Project

View all CVEs affecting Kickstarter Clone Script →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, authentication bypass, and potential remote code execution if database functions allow it.

🟠

Likely Case

Unauthorized data extraction including user credentials, payment information, and project data, followed by authentication bypass and privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection, though other vulnerabilities may still exist.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit scripts available requiring minimal technical skill to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

1. Replace vulnerable investcalc.php with patched version if available
2. Implement parameterized queries
3. Add input validation for projid parameter
4. Test thoroughly before deployment

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to ensure projid parameter contains only numeric values

// PHP example: if(!is_numeric($_GET['projid'])) { die('Invalid input'); }

WAF Rule Implementation

all

Deploy web application firewall rules to block SQL injection patterns

# ModSecurity example: SecRule ARGS:projid "@detectSQLi" "id:1001,phase:2,deny"

🧯 If You Can't Patch

Isolate the vulnerable system behind a WAF with SQL injection protection rules
Restrict network access to only necessary IP addresses and implement strict monitoring

🔍 How to Verify

Check if Vulnerable:

Test investcalc.php with SQL injection payloads like: investcalc.php?projid=1' OR '1'='1

Check Version:

Check script documentation or configuration files for version information

Verify Fix Applied:

Attempt SQL injection tests and verify they are blocked or sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual database query patterns
Multiple failed login attempts from single IP
SQL syntax errors in application logs

Network Indicators:

Unusual POST/GET requests to investcalc.php with SQL keywords
Traffic spikes to vulnerable endpoint

SIEM Query:

source="web_logs" AND uri="*investcalc.php*" AND (query="*UNION*" OR query="*SELECT*" OR query="*OR '1'='1*")

📊 Metadata

CVE ID: CVE-2017-17618

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: December 13, 2017

Last Updated: April 20, 2025

🔗 References

https://packetstormsecurity.com/files/145326/Kickstarter-Clone-Script-2.0-SQL-Injection.html Exploit,Third Party Advisory,VDB Entry
https://www.exploit-db.com/exploits/43286/ Exploit,Third Party Advisory,VDB Entry
https://packetstormsecurity.com/files/145326/Kickstarter-Clone-Script-2.0-SQL-Injection.html Exploit,Third Party Advisory,VDB Entry
https://www.exploit-db.com/exploits/43286/ Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-17618, you might also want to check these: