CVE-2023-47326
📋 TL;DR
Silverpeas Core 6.3.1 has a CSRF vulnerability in its Domain SQL Create function that allows attackers to trick authenticated users into executing unauthorized SQL operations. This affects all Silverpeas Core 6.3.1 installations with the vulnerable function enabled. Attackers can exploit this to create malicious SQL domains through forged requests.
💻 Affected Systems
- Silverpeas Core
📦 What is this software?
Silverpeas by Silverpeas
⚠️ Risk & Real-World Impact
Worst Case
Attackers could create arbitrary SQL domains with malicious content, potentially leading to data manipulation, privilege escalation, or further attacks through SQL injection if the created domains execute harmful queries.
Likely Case
Unauthorized creation of SQL domains that could disrupt application functionality, expose sensitive data, or serve as a pivot point for additional attacks within the Silverpeas environment.
If Mitigated
With proper CSRF protections and input validation, the attack surface is minimized, though the vulnerability remains present in the codebase until patched.
🎯 Exploit Status
Exploitation requires the attacker to trick an authenticated user into visiting a malicious page. The RhinoSecurityLabs GitHub repository contains proof-of-concept details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Silverpeas official updates for versions after 6.3.1
Vendor Advisory: http://silverpeas.com
Restart Required: Yes
Instructions:
1. Check Silverpeas website for security updates. 2. Apply the latest patch or upgrade to a fixed version. 3. Restart the Silverpeas service to apply changes.
🔧 Temporary Workarounds
Implement CSRF Tokens
allAdd CSRF protection tokens to the Domain SQL Create endpoint to validate requests.
Modify Silverpeas configuration to enable CSRF tokens for vulnerable endpoints
Disable Domain SQL Create Function
allTemporarily disable the vulnerable function if not required.
Access Silverpeas admin panel and disable Domain SQL Create functionality
🧯 If You Can't Patch
- Implement network segmentation to restrict access to Silverpeas administration interfaces
- Use web application firewalls (WAF) with CSRF protection rules
🔍 How to Verify
Check if Vulnerable:
Check if Silverpeas version is 6.3.1 and the Domain SQL Create function is accessible without CSRF protection.Check Version:
Check Silverpeas version through admin interface or configuration filesVerify Fix Applied:
After patching, test the Domain SQL Create endpoint with CSRF token validation to ensure requests without proper tokens are rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL domain creation requests
- Multiple failed CSRF validation attempts
Network Indicators:
- HTTP POST requests to Domain SQL Create endpoint without referrer validation
SIEM Query:
source="silverpeas" AND (uri="/DomainSQLCreate" OR action="create_domain_sql") AND status=200