CVE-2017-17625
📋 TL;DR
CVE-2017-17625 is a critical SQL injection vulnerability in Professional Service Script 1.0 that allows attackers to execute arbitrary SQL commands via the city parameter in the service-list feature. This affects all installations of Professional Service Script 1.0, potentially exposing database contents including user credentials and sensitive data.
💻 Affected Systems
- Professional Service Script
📦 What is this software?
On Demand Marketplace Script by On Demand Marketplace Script Project
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, authentication bypass, remote code execution via database functions, and full system takeover.
Likely Case
Database information disclosure including user credentials, personal data, and business information, potentially leading to further attacks.
If Mitigated
No impact if proper input validation and parameterized queries are implemented.
🎯 Exploit Status
Multiple public exploit scripts are available. The vulnerability requires no authentication and has simple exploitation vectors.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown - No official patch appears to exist
Vendor Advisory: No official vendor advisory found
Restart Required: No
Instructions:
1. Check if Professional Service Script 1.0 is installed
2. If using version 1.0, implement manual fixes or upgrade to a newer version if available
3. Apply input validation and parameterized queries to the service-list city parameter
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to only accept alphanumeric characters in the city parameter
In PHP: if (!preg_match('/^[a-zA-Z0-9\s]+$/', $_GET['city'])) { die('Invalid input'); }
Web Application Firewall Rule
allBlock SQL injection patterns in the city parameter
WAF rule: Block requests containing SQL keywords (SELECT, UNION, etc.) in city parameter
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with SQL injection protection rules
- Restrict access to the vulnerable endpoint using IP whitelisting or authentication
🔍 How to Verify
Check if Vulnerable:
Test the service-list endpoint with a SQL injection payload in the city parameter: ?city=' OR '1'='1Check Version:
Check the script's version file or configuration, typically in includes/config.php or similarVerify Fix Applied:
Test with SQL injection payloads and verify they are rejected or properly escaped📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in application logs
- Multiple requests with SQL keywords in city parameter
- Database error messages containing SQL syntax
Network Indicators:
- HTTP requests with SQL injection patterns in URL parameters
- Unusual database query patterns from web server
SIEM Query:
web.url: "*service-list*" AND (web.param.city: "*SELECT*" OR web.param.city: "*UNION*" OR web.param.city: "*OR '1'='1*")