CVE-2023-5373 – This critical SQL injection vulnerability in So... (How to Fix)

Q: What is the severity of CVE-2023-5373?

CVE-2023-5373 has a CVSS score of 7.3 (HIGH). This critical SQL injection vulnerability in SourceCodester Online Computer and Laptop Store 1.0 allows attackers to manipulate database queries through the email parameter in the register function. Attackers can execute arbitrary SQL commands remotely, potentially compromising the entire database. All users running version 1.0 of this software are affected.

📋 TL;DR

This critical SQL injection vulnerability in SourceCodester Online Computer and Laptop Store 1.0 allows attackers to manipulate database queries through the email parameter in the register function. Attackers can execute arbitrary SQL commands remotely, potentially compromising the entire database. All users running version 1.0 of this software are affected.

💻 Affected Systems

Products:

SourceCodester Online Computer and Laptop Store

Versions: 1.0

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the Master.php file specifically in the register function's email parameter handling.

📦 What is this software?

Online Computer And Laptop Store by Oretnom23

View all CVEs affecting Online Computer And Laptop Store →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, authentication bypass, and potential remote code execution on the database server.

🟠

Likely Case

Data exfiltration of user information, administrative credentials theft, and database manipulation leading to system compromise.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects internet-facing web applications.

🏢 Internal Only: MEDIUM - Internal systems could still be exploited by authenticated users or through lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available in GitHub repositories, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Implement parameterized queries and input validation in Master.php register function.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and sanitization for the email parameter in the register function.

Modify Master.php to use prepared statements with parameterized queries for all database operations

Web Application Firewall Rules

all

Deploy WAF rules to block SQL injection patterns targeting the register endpoint.

Configure WAF to detect and block SQL injection patterns in POST parameters

🧯 If You Can't Patch

Implement network segmentation to isolate the vulnerable system from critical assets
Deploy intrusion detection systems to monitor for SQL injection attempts

🔍 How to Verify

Check if Vulnerable:

Test the register endpoint with SQL injection payloads in the email parameter and observe database errors or unexpected behavior.

Check Version:

Check the software version in the application's configuration or about page

Verify Fix Applied:

Attempt SQL injection attacks against the fixed endpoint and verify they are properly rejected without database errors.

📡 Detection & Monitoring

Log Indicators:

Unusual database queries from web application logs
SQL syntax errors in application logs
Multiple failed registration attempts with suspicious email patterns

Network Indicators:

HTTP POST requests to register endpoint containing SQL keywords in email parameter
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND (url="*/register*" OR url="*/Master.php*") AND (email="*' OR *" OR email="*;--*" OR email="*UNION*" OR email="*SELECT*" OR email="*INSERT*")

📊 Metadata

CVE ID: CVE-2023-5373

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-89

Published: October 4, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/Szlllc/Cve/blob/main/Computer%20and%20Laptop%20Store%20System%20Master.php%20has%20Sqlinjection.pdf Exploit,Third Party Advisory
https://vuldb.com/?ctiid.241254 Permissions Required,Third Party Advisory
https://vuldb.com/?id.241254 Permissions Required,Third Party Advisory
https://github.com/Szlllc/Cve/blob/main/Computer%20and%20Laptop%20Store%20System%20Master.php%20has%20Sqlinjection.pdf Exploit,Third Party Advisory
https://vuldb.com/?ctiid.241254 Permissions Required,Third Party Advisory
https://vuldb.com/?id.241254 Permissions Required,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-5373, you might also want to check these: