CVE-2020-21809
📋 TL;DR
CVE-2020-21809 is a critical SQL injection vulnerability in NukeViet CMS's Shops module that allows attackers to execute arbitrary SQL commands through parameters in detail.php and search_result.php. This affects all users running NukeViet CMS with Shops module versions 4.0.29 and 4.3. Successful exploitation could lead to complete database compromise.
💻 Affected Systems
- NukeViet CMS Shops module
📦 What is this software?
Nukeviet by Nukeviet
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution via database functions.
Likely Case
Unauthorized data access, data exfiltration, and potential authentication bypass leading to administrative access.
If Mitigated
Limited impact with proper input validation and parameterized queries in place, potentially preventing exploitation entirely.
🎯 Exploit Status
Multiple public references demonstrate exploitation techniques. SQL injection via URL parameters is straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit 742c0e0f74364f7250c2a69f0a957d4e6317be68
Vendor Advisory: https://nukeviet.vn/vi/news/Tin-an-ninh/huong-dan-fix-loi-bao-mat-nukeviet-4-va-module-shops-612.html
Restart Required: No
Instructions:
1. Update NukeViet CMS to latest version. 2. Apply the specific commit fix for Shops module. 3. Replace vulnerable files with patched versions from GitHub repository.
🔧 Temporary Workarounds
Input Validation Filter
allImplement strict input validation for listid, group_price, and groupid parameters to only accept expected data types.
# Add to detail.php and search_result.php:
# $listid = filter_var($_GET['listid'], FILTER_VALIDATE_INT);
# if (!$listid) { die('Invalid input'); }
WAF Rule
allDeploy web application firewall rules to block SQL injection patterns targeting the vulnerable parameters.
# ModSecurity rule example:
# SecRule ARGS_GET "@detectSQLi" "id:1001,phase:2,deny,status:403"
🧯 If You Can't Patch
- Disable or remove the Shops module entirely if not required
- Implement network-level restrictions to limit access to vulnerable endpoints
🔍 How to Verify
Check if Vulnerable:
Check if Shops module files contain unvalidated $_GET parameters for listid, group_price, or groupid in detail.php and search_result.php.Check Version:
# Check NukeViet version:
# grep -r 'define.*NV_VERSION' /path/to/nukeviet/
# Check Shops module version in module configuration filesVerify Fix Applied:
Verify that parameterized queries or proper input validation has been implemented for the vulnerable parameters.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in web logs
- Multiple requests with SQL injection patterns in parameters
- Requests to detail.php or search_result.php with suspicious parameter values
Network Indicators:
- HTTP requests containing SQL keywords (UNION, SELECT, etc.) in listid, group_price, or groupid parameters
SIEM Query:
source="web_logs" AND (uri="*detail.php*" OR uri="*search_result.php*") AND (param="*listid*" OR param="*group_price*" OR param="*groupid*") AND (content="*UNION*" OR content="*SELECT*" OR content="*INSERT*")🔗 References
- https://github.com/nukeviet/module-shops/commit/742c0e0f74364f7250c2a69f0a957d4e6317be68
- https://nukeviet.vn/vi/news/Tin-an-ninh/huong-dan-fix-loi-bao-mat-nukeviet-4-va-module-shops-612.html
- https://whitehub.net/submissions/1517
- https://whitehub.net/submissions/1518
- https://github.com/nukeviet/module-shops/commit/742c0e0f74364f7250c2a69f0a957d4e6317be68
- https://nukeviet.vn/vi/news/Tin-an-ninh/huong-dan-fix-loi-bao-mat-nukeviet-4-va-module-shops-612.html
- https://whitehub.net/submissions/1517
- https://whitehub.net/submissions/1518
