CVE-2023-50743 – Online Notice Board System v1.0 contains unauth... (How to Fix)

Q: What is the severity of CVE-2023-50743?

CVE-2023-50743 has a CVSS score of 9.8 (CRITICAL). Online Notice Board System v1.0 contains unauthenticated SQL injection vulnerabilities in the registration.php resource. Attackers can execute arbitrary SQL commands without authentication, potentially compromising the entire database. All deployments of this specific software version are affected.

📋 TL;DR

Online Notice Board System v1.0 contains unauthenticated SQL injection vulnerabilities in the registration.php resource. Attackers can execute arbitrary SQL commands without authentication, potentially compromising the entire database. All deployments of this specific software version are affected.

💻 Affected Systems

Products:

Online Notice Board System

Versions: v1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. The 'dd' parameter in registration.php is the primary attack vector.

📦 What is this software?

Online Notice Board System by Kashipara

View all CVEs affecting Online Notice Board System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, authentication bypass, and potential remote code execution via database functions.

🟠

Likely Case

Database information disclosure, user data theft, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation and database permission restrictions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via the 'dd' parameter requires no authentication. Basic SQL injection techniques work.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.kashipara.com/

Restart Required: No

Instructions:

1. Check vendor website for updates. 2. If no patch available, implement workarounds. 3. Consider replacing with alternative software.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize the 'dd' parameter before database queries

Modify registration.php to validate/sanitize user input for 'dd' parameter

Web Application Firewall

all

Deploy WAF with SQL injection protection rules

🧯 If You Can't Patch

Isolate the system from internet access
Implement strict network segmentation and access controls

🔍 How to Verify

Check if Vulnerable:

Test registration.php with SQL injection payloads in the 'dd' parameter

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Verify input validation prevents SQL injection attempts

📡 Detection & Monitoring

Log Indicators:

SQL syntax errors in web server logs
Unusual database queries from web application

Network Indicators:

HTTP requests to registration.php with SQL payloads in parameters

SIEM Query:

web.url:*registration.php* AND (web.param:*UNION* OR web.param:*SELECT* OR web.param:*' OR '1'='1*)

📊 Metadata

CVE ID: CVE-2023-50743

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: January 4, 2024

Last Updated: November 21, 2024

🔗 References

https://fluidattacks.com/advisories/perahia/ Exploit,Third Party Advisory
https://www.kashipara.com/ Product
https://fluidattacks.com/advisories/perahia/ Exploit,Third Party Advisory
https://www.kashipara.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-50743, you might also want to check these: