Login Sign Up

CVE-2017-17621

9.8 CRITICAL
SQL Injection

📋 TL;DR

This vulnerability allows attackers to execute arbitrary SQL commands via PATH_INFO parameter manipulation in the /detail URI of Multivendor Penny Auction Clone Script 1.0. Successful exploitation could lead to database compromise, data theft, or complete system takeover. Anyone running this specific auction script version is affected.

💻 Affected Systems

Products:
  • Multivendor Penny Auction Clone Script
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects web applications using this specific script version regardless of underlying OS or web server.

📦 What is this software?

Multivendor Penny Auction Clone Script by Multivendor Penny Auction Clone Script Project

View all CVEs affecting Multivendor Penny Auction Clone Script →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, authentication bypass, remote code execution, and full system control.

🟠

Likely Case

Database information disclosure, data manipulation, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, though SQL injection attempts would still be logged.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple public exploit scripts available, requiring minimal technical skill to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize PATH_INFO parameter before processing SQL queries

Implement parameterized queries or prepared statements in PHP code

Web Application Firewall Rule

all

Block SQL injection patterns in PATH_INFO to /detail URI

Add WAF rule: deny requests with SQL keywords in PATH_INFO to /detail

🧯 If You Can't Patch

  • Implement network segmentation to isolate the vulnerable system
  • Deploy web application firewall with SQL injection detection rules

🔍 How to Verify

Check if Vulnerable:

Test by accessing /detail URI with SQL injection payload in PATH_INFO (e.g., /detail' OR '1'='1)

Check Version:

Check script version in admin panel or configuration files

Verify Fix Applied:

Attempt SQL injection payloads and verify they're blocked or sanitized

📡 Detection & Monitoring

Log Indicators:

  • SQL syntax errors in web server logs
  • Unusual database queries from web application

Network Indicators:

  • HTTP requests to /detail with SQL keywords in PATH_INFO

SIEM Query:

source="web_server" AND uri="/detail" AND (path_info CONTAINS "UNION" OR path_info CONTAINS "SELECT" OR path_info CONTAINS "OR '1'='1'")

📊 Metadata

CVE ID: CVE-2017-17621
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: December 13, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-17621, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)