CVE-2023-37177
📋 TL;DR
This CVE describes a critical SQL injection vulnerability in PMB Services library management software that allows unauthenticated remote attackers to execute arbitrary SQL commands via the query parameter in the export_z3950.php endpoint. Attackers can potentially gain full control of affected systems, including database access and remote code execution. All PMB installations version 7.4.7 and earlier are affected.
💻 Affected Systems
- PMB Services PMB
📦 What is this software?
Pmb by Sigb
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise including remote code execution, database exfiltration, lateral movement to other systems, and persistent backdoor installation.
Likely Case
Database compromise leading to data theft, privilege escalation, and potential remote code execution on the web server.
If Mitigated
Limited impact if proper WAF rules, input validation, and network segmentation prevent exploitation attempts.
🎯 Exploit Status
The vulnerability is well-documented with proof-of-concept examples available in public blog posts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v7.4.8 or later
Vendor Advisory: https://pmb-services.com/
Restart Required: No
Instructions:
1. Backup your current PMB installation and database
2. Download the latest version from the official PMB website
3. Follow the PMB upgrade documentation for your specific version
4. Verify the /admin/convert/export_z3950.php endpoint is no longer vulnerable
🔧 Temporary Workarounds
Block vulnerable endpoint
allTemporarily block access to the vulnerable PHP file using web server configuration
# Apache: Add to .htaccess or virtual host config
<Location "/admin/convert/export_z3950.php">
Order deny,allow
Deny from all
</Location>
# Nginx: Add to server block
location = /admin/convert/export_z3950.php {
deny all;
return 403;
}
Implement WAF rules
allAdd SQL injection detection rules for the specific endpoint
# ModSecurity rule example
SecRule REQUEST_URI "@streq /admin/convert/export_z3950.php" \
"id:1001,phase:2,deny,status:403,msg:'Blocking CVE-2023-37177 exploit attempt'"
🧯 If You Can't Patch
- Implement strict network access controls to limit access to the PMB admin interface
- Deploy a web application firewall with SQL injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check if your PMB version is 7.4.7 or earlier by examining the version file or admin interface. Test the endpoint with a safe SQL injection payload like ' OR '1'='1 in the query parameter.Check Version:
Check the includes/version.php file or login to PMB admin panel to see version informationVerify Fix Applied:
After patching, verify the version is 7.4.8 or later and test that SQL injection payloads no longer work against the /admin/convert/export_z3950.php endpoint.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by access to /admin/convert/export_z3950.php
- Web server logs showing SQL injection patterns in query parameters
Network Indicators:
- Unusual outbound database connections from web server
- Traffic patterns indicating data exfiltration
- Requests to /admin/convert/export_z3950.php with SQL keywords in parameters
SIEM Query:
source="web_server_logs" AND (uri="/admin/convert/export_z3950.php" AND (query="*SELECT*" OR query="*UNION*" OR query="*OR*"))