CVE-2023-50862 – Travel Website v1.0 contains an unauthenticated... (How to Fix)

Q: What is the severity of CVE-2023-50862?

CVE-2023-50862 has a CVSS score of 9.8 (CRITICAL). Travel Website v1.0 contains an unauthenticated SQL injection vulnerability in the booking.php resource's hotelIDHidden parameter. Attackers can execute arbitrary SQL commands without authentication, potentially compromising the entire database. All deployments of Travel Website v1.0 are affected.

📋 TL;DR

Travel Website v1.0 contains an unauthenticated SQL injection vulnerability in the booking.php resource's hotelIDHidden parameter. Attackers can execute arbitrary SQL commands without authentication, potentially compromising the entire database. All deployments of Travel Website v1.0 are affected.

💻 Affected Systems

Products:

Travel Website

Versions: v1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of Travel Website v1.0 are vulnerable by default. No special configuration is required for exploitation.

📦 What is this software?

Travel Website by Kashipara

View all CVEs affecting Travel Website →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, and potential remote code execution leading to full system takeover.

🟠

Likely Case

Database information disclosure including user credentials, personal data, and booking information, potentially leading to credential theft and data breaches.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only allowing data enumeration without modification.

🌐 Internet-Facing: HIGH - The vulnerability is unauthenticated and affects a web-facing application, making it easily accessible to attackers.

🏢 Internal Only: MEDIUM - While still vulnerable, internal-only deployments have reduced attack surface compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are well-understood and easily weaponized. The unauthenticated nature makes exploitation trivial for attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.kashipara.com/

Restart Required: No

Instructions:

No official patch available. Check vendor website for updates. Consider implementing workarounds or migrating to alternative software.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to restrict hotelIDHidden parameter to expected values

Add input validation in booking.php: if(!is_numeric($_POST['hotelIDHidden'])) { die('Invalid input'); }

Web Application Firewall

all

Deploy WAF with SQL injection protection rules

Configure WAF to block SQL injection patterns in POST parameters

🧯 If You Can't Patch

Isolate the vulnerable system behind a reverse proxy with strict input filtering
Implement network segmentation to limit database access from the web server

🔍 How to Verify

Check if Vulnerable:

Test booking.php with SQL injection payloads in hotelIDHidden parameter: ' OR '1'='1

Check Version:

Check website footer or configuration files for version information

Verify Fix Applied:

Test with same payloads after implementing fixes - should return error or no database interaction

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in web logs
Multiple failed booking attempts with malformed parameters
Database error logs showing unexpected queries

Network Indicators:

HTTP POST requests to booking.php with SQL keywords in parameters
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="/booking.php" AND (param="hotelIDHidden" AND value MATCHES "(?i)(union|select|insert|update|delete|drop|--|#|\*|;)")

📊 Metadata

CVE ID: CVE-2023-50862

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: January 4, 2024

Last Updated: November 21, 2024

🔗 References

https://fluidattacks.com/advisories/evans/ Exploit,Third Party Advisory
https://www.kashipara.com/ Product
https://fluidattacks.com/advisories/evans/ Exploit,Third Party Advisory
https://www.kashipara.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-50862, you might also want to check these: