CVE-2023-1595
📋 TL;DR
This CVE describes a SQL injection vulnerability in novel-plus version 3.6.2 that allows remote attackers to execute arbitrary SQL commands via the 'sort' parameter in the common/log/list functionality. The vulnerability affects all novel-plus 3.6.2 installations with the vulnerable file exposed. Attackers can potentially access, modify, or delete database content.
💻 Affected Systems
- novel-plus
📦 What is this software?
Novel Plus by Xxyopen
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution if database functions allow it.
Likely Case
Unauthorized data access, data exfiltration, and potential authentication bypass leading to administrative access.
If Mitigated
Limited impact with proper input validation, parameterized queries, and database permissions restricting the attack surface.
🎯 Exploit Status
Public exploit code is available on GitHub, making exploitation straightforward for attackers with basic SQL injection knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: No official vendor advisory found
Restart Required: No
Instructions:
1. Check for official patches from novel-plus developers
2. If no patch available, implement workarounds
3. Consider upgrading to a newer version if available
4. Monitor novel-plus repositories for security updates
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation for the 'sort' parameter to only allow expected values
Modify common/log/list to validate sort parameter against whitelist
Parameterized Query Implementation
allReplace dynamic SQL construction with parameterized queries or prepared statements
Rewrite SQL queries to use parameter binding instead of string concatenation
Access Restriction
allRestrict access to the vulnerable endpoint using web server configuration
Add access control rules in web server config (e.g., .htaccess for Apache, nginx location blocks)
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block SQL injection patterns targeting the sort parameter
- Restrict database user permissions to minimize potential damage from successful exploitation
🔍 How to Verify
Check if Vulnerable:
Test the common/log/list endpoint with SQL injection payloads in the sort parameter (e.g., sort=1' OR '1'='1)Check Version:
Check novel-plus version in application configuration or about pageVerify Fix Applied:
Test with SQL injection payloads after implementing fixes; successful fixes should return errors or no data rather than executing SQL📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in application logs
- Multiple requests to common/log/list with suspicious sort parameters
- Database error messages containing SQL syntax
Network Indicators:
- HTTP requests to /common/log/list with SQL keywords in parameters
- Unusual database traffic patterns from application servers
SIEM Query:
source="web_logs" AND uri="/common/log/list" AND (param_sort CONTAINS "UNION" OR param_sort CONTAINS "SELECT" OR param_sort CONTAINS "' OR '")🔗 References
- https://github.com/1610349395/novel-plus-v3.6.2----Background-SQL-Injection-Vulnerability-/blob/main/novel-plus%20v3.6.2%20--%20Background%20SQL%20Injection%20Vulnerability.md
- https://vuldb.com/?ctiid.223663
- https://vuldb.com/?id.223663
- https://github.com/1610349395/novel-plus-v3.6.2----Background-SQL-Injection-Vulnerability-/blob/main/novel-plus%20v3.6.2%20--%20Background%20SQL%20Injection%20Vulnerability.md
- https://vuldb.com/?ctiid.223663
- https://vuldb.com/?id.223663
