CVE-2023-46793 – Online Matrimonial Project v1.0 contains unauth... (How to Fix)

📋 TL;DR

Online Matrimonial Project v1.0 contains unauthenticated SQL injection vulnerabilities in the register() function's 'day' parameter, allowing attackers to execute arbitrary SQL commands without authentication. This affects all deployments of v1.0 where the vulnerable code is exposed. Attackers can potentially access, modify, or delete sensitive user data including personal information and credentials.

💻 Affected Systems

Products:

Online Matrimonial Project

Versions: v1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of v1.0 are vulnerable. The vulnerability exists in the functions.php file's register() function.

📦 What is this software?

Online Matrimonial Project by Projectworlds

View all CVEs affecting Online Matrimonial Project →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, authentication bypass, and potential remote code execution via database functions.

🟠

Likely Case

Extraction of sensitive user data (personal information, passwords), privilege escalation, and potential site defacement.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database user privilege restrictions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via 'day' parameter requires no authentication. Basic SQL injection techniques work.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://projectworlds.in

Restart Required: No

Instructions:

1. Download updated version if available from projectworlds.in
2. Replace vulnerable functions.php file
3. Test registration functionality

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation for 'day' parameter to only accept numeric values 1-31

Edit functions.php, add: if(!is_numeric($_POST['day']) || $_POST['day'] < 1 || $_POST['day'] > 31) { die('Invalid input'); }

Parameterized Query Implementation

all

Replace direct SQL concatenation with prepared statements

Replace vulnerable SQL with: $stmt = $db->prepare('INSERT INTO users (day, ...) VALUES (?, ...)'); $stmt->bind_param('i', $_POST['day']);

🧯 If You Can't Patch

Implement WAF rules to block SQL injection patterns
Restrict database user permissions to SELECT only

🔍 How to Verify

Check if Vulnerable:

Test registration with payload: day=1' OR '1'='1

Check Version:

Check project documentation or version file if present

Verify Fix Applied:

Attempt SQL injection payloads; successful fix should return error or reject input

📡 Detection & Monitoring

Log Indicators:

SQL syntax errors in logs
Multiple failed registration attempts with unusual 'day' values
Database error messages containing SQL fragments

Network Indicators:

HTTP POST requests to register endpoint with SQL keywords in parameters
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="/register" AND (param="day" AND value MATCHES "[';]|UNION|SELECT|OR\s+1=1")

📊 Metadata

CVE ID: CVE-2023-46793

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: November 7, 2023

Last Updated: November 21, 2024

🔗 References

https://fluidattacks.com/advisories/ros Exploit,Third Party Advisory
https://projectworlds.in Product
https://fluidattacks.com/advisories/ros Exploit,Third Party Advisory
https://projectworlds.in Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46793, you might also want to check these: