Login Sign Up

CVE-2018-5972

9.8 CRITICAL
SQL Injection

📋 TL;DR

This SQL injection vulnerability in Quickad 4.0 allows attackers to execute arbitrary SQL commands through the keywords, placeid, cat, or subcat parameters in listing URLs. This affects all installations of Quickad 4.0 that expose the classified ads functionality to users. Attackers can potentially access, modify, or delete database content.

💻 Affected Systems

Products:
  • Quickad Classified Ads CMS
Versions: 4.0
Operating Systems: All platforms running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: All installations with the vulnerable listing functionality enabled are affected.

📦 What is this software?

Quickad by Quickad Project

View all CVEs affecting Quickad →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, and potential remote code execution if database permissions allow file system access or command execution.

🟠

Likely Case

Unauthorized access to classified ads data, user information, and potential privilege escalation to administrative access.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH - The vulnerability is in web application parameters accessible via HTTP requests.
🏢 Internal Only: MEDIUM - Internal users could exploit if they have access to the application.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit code is publicly available and requires no authentication. Simple parameter manipulation can trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Check for updated version from vendor. 2. If no patch available, implement parameterized queries. 3. Apply input validation to keywords, placeid, cat, and subcat parameters.

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Implement WAF rules to block SQL injection patterns in the vulnerable parameters.

Input Validation Filter

all

Add server-side validation to reject suspicious characters in the vulnerable parameters.

// PHP example: filter_input(INPUT_GET, 'keywords', FILTER_SANITIZE_STRING);

🧯 If You Can't Patch

  • Implement network segmentation to restrict access to the Quickad application
  • Deploy a web application firewall with SQL injection detection rules

🔍 How to Verify

Check if Vulnerable:

Test by appending SQL injection payloads to listing URLs with parameters like: /listing?keywords=test' OR '1'='1

Check Version:

Check Quickad version in admin panel or configuration files.

Verify Fix Applied:

Attempt SQL injection tests and verify they are blocked or sanitized.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in application logs
  • Multiple requests with SQL keywords in parameters

Network Indicators:

  • HTTP requests containing SQL injection patterns in keywords, placeid, cat, or subcat parameters

SIEM Query:

source="web_logs" AND (keywords="*' OR*" OR placeid="*' OR*" OR cat="*' OR*" OR subcat="*' OR*")

📊 Metadata

CVE ID: CVE-2018-5972
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: January 24, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-5972, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)