CVE-2023-41443
📋 TL;DR
This SQL injection vulnerability in Novel-Plus v4.1.0 allows remote attackers to execute arbitrary SQL commands via the sort parameter in the /sys/menu/list endpoint. Attackers can potentially read, modify, or delete database content, and in some configurations execute arbitrary code. All Novel-Plus v4.1.0 installations with the vulnerable endpoint exposed are affected.
💻 Affected Systems
- Novel-Plus
📦 What is this software?
Novel Plus by Xxyopen
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise including remote code execution, database exfiltration, and potential lateral movement to other systems.
Likely Case
Database compromise leading to data theft, privilege escalation, and potential application takeover.
If Mitigated
Limited impact with proper input validation and database permissions, potentially only error messages or limited data exposure.
🎯 Exploit Status
The exploit requires sending crafted HTTP requests to the vulnerable endpoint. Public proof-of-concept code exists in the referenced GitHub repository.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v4.1.1 or later
Vendor Advisory: https://github.com/xxd763795151/novel-plus
Restart Required: Yes
Instructions:
1. Backup your Novel-Plus installation and database. 2. Download the latest version from the official repository. 3. Replace the vulnerable files with patched versions. 4. Restart the application server. 5. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Input Validation Filter
allImplement input validation to sanitize the sort parameter before processing
Modify the controller handling /sys/menu/list to validate sort parameter against a whitelist of allowed values
Web Application Firewall Rule
allBlock SQL injection patterns in the sort parameter
Add WAF rule: deny requests to /sys/menu/list containing SQL keywords in sort parameter
🧯 If You Can't Patch
- Implement strict input validation for the sort parameter in the application code
- Restrict access to the /sys/menu/list endpoint using network controls or authentication
🔍 How to Verify
Check if Vulnerable:
Send a test request to /sys/menu/list with sort parameter containing SQL injection payload like '1' OR '1'='1' and check for SQL errors or unexpected responsesCheck Version:
Check the Novel-Plus version in the application configuration or about pageVerify Fix Applied:
Test the same SQL injection payload after patching - it should return an error or sanitized response without executing SQL📡 Detection & Monitoring
Log Indicators:
- SQL syntax errors in application logs
- Unusual database queries from application user
- Multiple failed login attempts following SQL errors
Network Indicators:
- HTTP requests to /sys/menu/list with SQL keywords in parameters
- Unusual outbound database connections from application server
SIEM Query:
source="application.log" AND ("SQL syntax" OR "sort parameter" OR "/sys/menu/list") AND ("error" OR "injection")