CVE-2023-40921
📋 TL;DR
This SQL injection vulnerability in Common Services soliberte allows attackers to manipulate database queries through the lat and lng parameters in point_list.php. Attackers can potentially extract sensitive information from the database, including user credentials and other confidential data. All users running soliberte versions before v4.3.03 are affected.
💻 Affected Systems
- Common Services soliberte
📦 What is this software?
Soliberte by Common Services
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data exfiltration, authentication bypass, privilege escalation, and potential remote code execution through database functions.
Likely Case
Extraction of sensitive information such as user credentials, personal data, and configuration details from the database.
If Mitigated
Limited information disclosure if proper input validation and parameterized queries are implemented.
🎯 Exploit Status
SQL injection vulnerabilities are commonly weaponized, and this one requires no authentication, making exploitation straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v4.3.03
Vendor Advisory: https://security.friendsofpresta.org/modules/2023/12/12/soliberte.html
Restart Required: No
Instructions:
1. Download soliberte v4.3.03 or later from the official source. 2. Replace the vulnerable functions/point_list.php file with the patched version. 3. Verify the fix by testing the lat and lng parameters.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to ensure lat and lng parameters contain only numeric values
# In point_list.php, add validation before SQL query:
if (!is_numeric($_GET['lat']) || !is_numeric($_GET['lng'])) {
die('Invalid parameters');
}
Web Application Firewall Rule
allBlock SQL injection patterns targeting the point_list.php endpoint
# Example ModSecurity rule:
SecRule ARGS_GET "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQLi attempt detected'"
🧯 If You Can't Patch
- Block external access to functions/point_list.php using network firewall rules or web server configuration
- Implement strict input validation and parameterized queries in the application code
🔍 How to Verify
Check if Vulnerable:
Test the point_list.php endpoint with SQL injection payloads in lat and lng parameters, such as: ' OR '1'='1Check Version:
Check the soliberte version in the application's configuration files or admin interfaceVerify Fix Applied:
Attempt the same SQL injection tests after patching; successful queries should return error messages or no data instead of executing SQL commands📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in web server logs
- Multiple requests to point_list.php with suspicious parameter values
- Database query errors containing SQL syntax
Network Indicators:
- HTTP requests to /functions/point_list.php containing SQL keywords in parameters
- Unusual database query patterns from the web server
SIEM Query:
source="web_server.log" AND uri="/functions/point_list.php" AND (param="*SELECT*" OR param="*UNION*" OR param="*OR*1*" OR param="*--*" OR param="*;*" OR param="*'*")